Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.55.186.201 |
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://194.55.186.201: |
Source: aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://194.55.186.201:6008 |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://194.55.186.201:6008/ |
Source: aspnet_compiler.exe, 00000001.00000003.412663066.0000000008CB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412625368.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412575103.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.402236725.0000000008CA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412702825.000000000152D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ns.adobe.c/g |
Source: aspnet_compiler.exe, 00000001.00000002.416441450.000000000309B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/ |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/ |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/0 |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse |
Source: aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415687042.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse |
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron |
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate |
Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse |
Source: aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/t_ |
Source: StZAEFSb2j.exe, 00000000.00000002.320604810.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tgc8x.tk |
Source: tmpE2D.tmp.1.dr | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE% |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg |
Source: tmpE2D.tmp.1.dr | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: tmpE2D.tmp.1.dr | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: tmpE2D.tmp.1.dr | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://ipinfo.io/ip%appdata% |
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr | String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr | String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
Source: StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://tgc8x.tk |
Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.318500513.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://tgc8x.tk/tt/BLACKDEV.txt |
Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.318500513.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://tgc8x.tk/tt/lamb.txt |
Source: StZAEFSb2j.exe, 00000000.00000002.320562361.0000000002B54000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://tgc8x.tk4 |
Source: StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://tgc8x.tkD8 |
Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.dr | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E446A8 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E40448 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E419D0 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E47321 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E45129 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E48108 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E40439 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E419C1 |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Code function: 0_2_00E43F60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_02E2DE10 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_02E2D2F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_0620E7D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_06206400 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_062015A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_0620DF00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Code function: 1_2_06201AB8 |
Source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.322199547.0000000005010000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameImplosions.exe4 vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321430350.0000000002C56000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321430350.0000000002C56000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameImplosions.exe4 vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000000.307650279.00000000005D2000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameXCBVNDDJD.exe4 vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321384668.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe, 00000000.00000002.321334213.0000000002C39000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe |
Source: StZAEFSb2j.exe | Binary or memory string: OriginalFilenameXCBVNDDJD.exe4 vs StZAEFSb2j.exe |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\StZAEFSb2j.exe | Queries volume information: C:\Users\user\Desktop\StZAEFSb2j.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth |
Source: aspnet_compiler.exe, 00000001.00000002.436889284.0000000006526000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: Win32_Process.Handle="3124"oaming\Electrum\wallets\* |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: \Ethereum\wallets |
Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: Ethereum |
Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: Il5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\* |